Unable to configure SCEP policy

Problem

You are trying to associate SCEP policy to Windows devices and get an error "Unable to configure SCEP policy"

Cause

This error occurs due to one of the following reasons:

Resolution

SCEP server cannot be contacted

Ensure the server URL specified is in HTTP during profile configuration, if the SCEP server is within the organization. Such SCEP servers are usually configured to be accessible within the organization and hence, uses an internal CA certificate implying the server can be access only through HTTP. 

Invalid Subject Name

Ensure the subject name specified while configuring the policy adheres to the format specified here and the values provided are in double quotes. Example: O="Your Company, Inc."

Mismatch in date-time settings

Ensure the time zone configured in the device and SCEP Server are same. When the SCEP server has a different time zone, it generates certificate with all time-based configurations including expiry, using the wrong time zone. Thus, the certificate might be expired when distributed to the managed device.

Invalid Thumbprint

Ensure the thumbprint specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)

Invalid Challenge Password

Ensure the challenge password specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)

Connectivity Issues

Ensure the device is within the organization, if the SCEP server has been configured within the organization. SCEP servers are usually configured within the organization for security purposes and can be accessed by devices only through the corporate network. 

Invalid CSR

This error occurs due to issues with the certificate signing request. Re-distribute the SCEP policy to the device(s) and/or group(s) again.

 

If the issue persists, contact MDM support with Server logs as explained here.