MDM Enrollment Can't Be Completed on macOS Devices

We are experiencing an issue on several devices when attempting an enrollment to Mobile Device Management (MDM). The device is communicating, but it appears there is a problem with certificates that won't allow the enrollment to complete. Automated Device Enrollment (ADE, formerly DEP) enrollments do not work either. Failure to enroll in MDM is occurring on the following types of devices:
  • Big Sur M1 Architecture

  • Big Sur Intel Architecture

  • Catalina


Console log below of before, during, and after an attempt for MDM enrollment on a device experiencing this issue:

Code Block language
error 13:33:38.859611-0600 CertificateService Server capabilities lack support for 3DES but we're going to use it anyway
error 13:33:39.240005-0600 CertificateService Error (-26275) decrypting response payload
error 13:33:39.240183-0600 CertificateService ProcessRequestCertSignatureResponse: No certificate received
error 13:33:39.240703-0600 CertificateService [ERROR] <: [MDM_SCEP_Enroll] Calling SCEPCopyCertificate -->  <NSOSStatusErrorDomain:-25300>
error 13:33:39.274025-0600 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=NSOSStatusErrorDomain Code=-25300 "errKCItemNotFound / errSecItemNotFound:  / The item cannot be found." UserInfo={IsInternalError=true} <<<<<
error 13:33:39.292742-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
error 13:33:39.340017-0600 kernel Sandbox: coreaudiod(220) deny(1) file-read-metadata /Library/Keychains
error 13:33:39.371452-0600 mdmclient CPProfileManager.installProfile returning error -25300 (<private>)
error 13:33:39.392812-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory
error 13:33:39.392968-0600 kernel System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory/D1BA2076-4015-4062-BF9A-45474D415341_19975F4D-F21E-44C5-BC98-1F7F4A48AE70.mobileconfig.profilepurgatory


Answers

Can you please file a feedback with a sysdiagnose so we can investigate.
Feedback filed: FB9038684

I'm getting this same error. Anyone have a resolution?