You are trying to push a profile to an iOS device and you get an error message "MDM Profile cannot be installed" on the managed device. It is to be noted that the certificate must be TLS 1.2 enabled to enroll iOS devices.
You might get this error message, due to one of the following reasons:
You need to repeat the enrollment process, after the issue has been resolved.
Check if the steps to manually install MDM Profile on the device have been followed correctly by the user. To verify, the user has to navigate to Settings->General->Profile->MDM Profile on the device. If the Profile is not installed, the user has to click on Install.
Check whether the Third-Party Certificate is configured properly in the MDM server. In case you are using an intermediate certificate, ensure that the intermediate chain is configured properly. Refer Third-Party Certificate Troubleshooting for detailed information.
If you're using third-party certificates in MDM Server, ensure the same is configured in the Secure Gateway as well.
Ensure NAT has been configured properly as the FQDN must be accessible outside the corporate network. Use the full address as received in the mail, instead of the IP, to ensure that the NAT is reachable. Also, ensure the requisite HTTPS ports and other requisite ports are not blocked by firewall/proxy.
This error occurs when the date/time settings in the device and/or server is not in sync with the time settings specified in the certificate. Ensure the date/time settings are correct in both the device and server. If the server has incorrect time, re-configure the NAT again.
You are trying to enroll an iOS device and get the error message "New MDM Payload does not match with the old one".
This error occurs when the device is already enrolled with MDM.
If this error is displayed, you need to perform the below steps on the device: