During typical iOS Device enrollment, SCEP certificates are issued to iOS devices with a generic subject. The serial number of the certificate will be unique but not easy to identify for a specific device or user.
The NDES requests a unique certificate but only the serial number differentiates the certificates. The serial number is not a convenient way to trace the certificate to the device.
In MMCM 7.x, you can use a variable in the SCEP configuration. Authentication must be enabled for this variable to work.
Symantec Mobile Management for Configuration Manager 7.x