User Profile

We are experiencing an issue on several devices when attempting an enrollment to Mobile Device Management (MDM). The device is communicating, but it appears there is a problem with certificates that won't allow the enrollment to complete. Automated Device Enrollment (ADE, formerly DEP) enrollments do not work either. Failure to enroll in MDM is occurring on the following types of devices: Big Sur M1 Architecture Big Sur Intel Architecture Catalina Console log below of before, during, and after an attempt for MDM enrollment on a device experiencing this issue: language error 13:33:38.859611-0600 CertificateService Server capabilities lack support for 3DES but we're going to use it anyway error 13:33:39.240005-0600 CertificateService Error (-26275) decrypting response payload error 13:33:39.240183-0600 CertificateService ProcessRequestCertSignatureResponse: No certificate received error 13:33:39.240703-0600 CertificateService [ERROR] : [MDM_SCEP_Enroll] Calling SCEPCopyCertificate --  NSOSStatusErrorDomain:-25300 error 13:33:39.274025-0600 mdmclient [ERROR] PlugIn: InstallPayload [CertificateService] Error: Error Domain=NSOSStatusErrorDomain Code=-25300 "errKCItemNotFound / errSecItemNotFound:  / The item cannot be found." UserInfo={IsInternalError=true} error 13:33:39.292742-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary error 13:33:39.340017-0600 kernel Sandbox: coreaudiod(220) deny(1) file-read-metadata /Library/Keychains error 13:33:39.371452-0600 mdmclient CPProfileManager.installProfile returning error -25300 (private) error 13:33:39.392812-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory error 13:33:39.392968-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory/D1BA2076-4015-4062-BF9A-45474D415341_19975F4D-F21E-44C5-BC98-1F7F4A48AE70.mobileconfig.profilepurgatory

When a device goes through the Setup Assistant, the Remote Management Screen is bypassed. These devices' serial numbers are present and assigned to the correct MDM Server in their respective ASM/ABM accounts. The above is affecting both brand new devices and devices that are being re-formatted. Affected macOS versions: Mojave Catalina Big Sur It's been observed that waiting for an extended period in the Setup Assistant after choosing a Wi-Fi connection can lead to the Remote Management Screen appearing and successfully enrolling into the MDM Server. Later attempted in a faster manner, that same workflow would lead to no Remote Management Screen whatsoever.