Error when combining scep and mdm payloads - enrollment server did not provision valid identity certificate

Question

I\'m working on rolling my own MDM service, and I\'m trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web ser

Answer 1

I got in touch with Apple about this.

Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.