I have successfully enrolled android devices through my MDM server without a Relay in my architecture.
I have also configured the certificates for Apple as per the documentation.
However, the enrollment still fails.
We find the following in the device console log when we use the iPhone Configuration Utility:
Jan 21 15:15:45 SAP-Mobilitys-iPhone profiled <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Jan 21 15:15:50 SAP-Mobilitys-iPhone profiled <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
Desc : Invalid Profile
US Desc: Invalid Profile
Domain : MCProfileErrorDomain
Code : 1000
Type : MCFatalError
The Network Device Enrollment Services installation may need to be refreshed.
Server Manager > Roles > Active Directory Certificate Services and removing the "Role Services" for "Network Device Enrollment Services" and then re-install and a Reboot.
Also make sure
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword DWORD = 0
and also ensure that the Certificate Authority is configured and working in the CA MDM Admin UI.