I'm seeing the same exact behavior. When looking at the network traffic, it appears that OS4 isn't even attempting to send out a packet to enroll the certificate. If you look at the phone log, you'll see quite of error logging that seems to originate with the line:
"unknown lockdownd <Error>: (0x403000) handle_connection: Could not receive internal message #3 from profiled. Killing connection"
Anyone have any luck with this or have a possible workaround?
Hi, we were having the same problem, in our case it was caused by the GetCACaps operation that is not supported on Microsoft and that, apparently, iOS4 requires and answer from the CA/SCEP server and if no answer is received it fails with the "Network connection lost." error.
We posted all the info in our company's blog:
Hope this helps you!
I am evaluating MobileIron now, and I cannot seem to get a client authentication certificate to my iPad. I can get a device-based certificate just fine, but that certificate type is not what works for us. What is the certificate type you are using? How are you using it? Do you use it as an authentication mechanism? Or are you using something else to authenticate instead of the certificate?
If you don't feel comfortable disclosing your information on this forum, please feel free to email me or look me up. I work for KLA-Tencor.
For begenning, I 've read your post but I have difficulties understanding if the use of SCEP is mandatory in my case.
I'm trying to use the OTA mobileconfig to retrive the UDID of users, I made a mobileconfig and I manage to install it ont iDevice and after installing, it call my PHP script back but with no datas (in the GET, POST, Files variables) do I need to use SCEP to have datas in this answer ?
I made a test with a custom mobileconfig script calling back the "http://whatismyudid.com/device/enroll" and the datas appears so i think my mobileconfig file is working fine.
Useful article on the Microsoft TechNet Blogs site about iPads / iPhones and talking to a Windows 2008 CA/NDES Server with SCEP.
Do you happen to know how to specify my configuration profile to bypass the GetCACaps?
SubjectAltName has no problem.
GetCACaps doesn't seem to work - my iphone 5 thought the profile is invalid.
But the doc seems to imply (without examples) that it is possible.
I am using Windows 2008 sp2 NDES. No patch for GetCACaps. Hence I have to work around by specifying the CACapability.
Finally solved my own problem.
I am using Windows 2008 sp2 NDES, which does not have GetCACaps hot fix like Windows 2008 R2.
What I did: proxy all SCEP operations.
In case of GetCACaps, just hardcode the reply DES3 and SHA-1, such that iPhone does not choke on Windows NDES's blank response.
Everything else (GetCACert and PKIOperation), just proxy the call to Windows 2008 unchanged and set the appropriate Content-Type per spec.
It was quite a journey, but well worth it.
Also, all the advice on the web about the NDES setup is crucial, especially when you change the settings in and bounce one instance (e.g. Domain Controller), you have to bounce the other NDES server too. I come to know when things didn't work. Then I debugged the Event Logs in NDES.
My advice to others: jscep helps one to understand what's going on behind the scene, but it may not be practical for actual production-grade deployment. Need to take SCEP admin maintenance into consideration.