MDM Enrollment Can't Be Completed on macOS Devices

We are experiencing an issue on several devices when attempting an enrollment to Mobile Device Management (MDM). The device is communicating, but it appears there is a problem with certificates that won't allow the enrollment to complete. Automated Device Enrollment (ADE, formerly DEP) enrollments do not work either. Failure to enroll in MDM is occurring on the following types of devices:

  • Big Sur M1 Architecture

  • Big Sur Intel Architecture

  • Catalina


Console log below of before, during, and after an attempt for MDM enrollment on a device experiencing this issue:

Code Block language
error	13:33:38.859611-0600	CertificateService	Server capabilities lack support for 3DES but we're going to use it anyway
error	13:33:39.240005-0600	CertificateService	Error (-26275) decrypting response payload
error	13:33:39.240183-0600	CertificateService	ProcessRequestCertSignatureResponse: No certificate received
error	13:33:39.240703-0600	CertificateService	[ERROR] <: [MDM_SCEP_Enroll] Calling SCEPCopyCertificate -->  <NSOSStatusErrorDomain:-25300>
error	13:33:39.274025-0600	mdmclient	[ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=NSOSStatusErrorDomain Code=-25300 "errKCItemNotFound / errSecItemNotFound:  / The item cannot be found." UserInfo={IsInternalError=true} <<<<<
error	13:33:39.292742-0600	kernel	System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
error	13:33:39.340017-0600	kernel	Sandbox: coreaudiod(220) deny(1) file-read-metadata /Library/Keychains
error	13:33:39.371452-0600	mdmclient	CPProfileManager.installProfile returning error -25300 (<private>)
error	13:33:39.392812-0600	kernel	System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory
error	13:33:39.392968-0600	kernel	System Policy: WSDaemon(130) deny(1) file-read-metadata /private/var/db/ConfigurationProfiles/Store/ProfilePurgatory/D1BA2076-4015-4062-BF9A-45474D415341_19975F4D-F21E-44C5-BC98-1F7F4A48AE70.mobileconfig.profilepurgatory


Post not yet marked as solved Up vote post of FruitMan Down vote post of FruitMan
2.1k views
Posted by
FruitMan
Reply
Add a Comment

Replies

Can you please file a feedback with a sysdiagnose so we can investigate.
Posted by
Systems Engineer
Up vote reply of Systems Engineer Down vote reply of Systems Engineer
Add a Comment
Feedback filed: FB9038684
Posted by
FruitMan
Up vote reply of FruitMan Down vote reply of FruitMan
Add a Comment

I'm getting this same error. Anyone have a resolution?

Posted by
JoAndrews
Up vote reply of JoAndrews Down vote reply of JoAndrews
Add a Comment