Error when combining scep and mdm payloads - enrollment server did not provision valid identity certificate

Question

I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).

The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).

I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.

A side note - using a preexisting MDM vendor is not an option here.

Below is the profile I'm using:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
    <dict>
      <key>PayloadContent</key>
      <array>
        <dict>
          <key>PayloadContent</key>
          <dict>
            <key>Challenge</key>
            <string>this is a challenge</string>
            <key>Key Type</key>
            <string>RSA</string>
            <key>Key Usage</key>
            <integer>5</integer>
            <key>Keysize</key>
            <integer>1024</integer>
            <key>Name</key>
            <string>mycompany</string>
            <key>Retries</key>
            <integer>3</integer>
            <key>RetryDelay</key>
            <integer>0</integer>
            <key>Subject</key>
            <array><array><array>
              <string>CN</string>
              <string>mycompany</string>
            </array></array></array>
            <key>URL</key>
            <string>https://mysite.com/scep.aspx</string>
          </dict>
          <key>PayloadDescription</key>
          <string>Configures SCEP</string>
          <key>PayloadDisplayName</key>
          <string>SCEP (mycompany)</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm.scep1</string>
          <key>PayloadOrganization</key>
          <string></string>
          <key>PayloadType</key>
          <string>com.apple.security.scep</string>
          <key>PayloadUUID</key>
          <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
        </dict>
        <dict>
          <key>AccessRights</key>
          <integer>3</integer>
          <key>CheckInURL</key>
          <string>mysite.com/checkin.aspx</string>
          <key>CheckOutWhenRemoved</key>
          <false/>
          <key>IdentityCertificateUUID</key>
          <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
          <key>PayloadDescription</key>
          <string>Configures MobileDeviceManagement.</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm.mdm2</string>
          <key>PayloadOrganization</key>
          <string></string>
          <key>PayloadType</key>
          <string>com.apple.mdm</string>
          <key>PayloadUUID</key>
          <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
          <key>ServerURL</key>
          <string>https://mysite.com/checkin.aspx</string>
          <key>SignMessage</key>
          <false/>
          <key>Topic</key>
          <string>com.apple.mgmt.mypushsubject</string>
          <key>UseDevelopmentAPNS</key>
          <true/>
        </dict>
      </array>
      <key>PayloadDescription</key>
      <string>Profile description.</string>
      <key>PayloadDisplayName</key>
      <string>Test Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.mycompany.mdm</string>
      <key>PayloadOrganization</key>
      <string>mycompany</string>
      <key>PayloadRemovalDisallowed</key>
      <false/>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
    </dict>
  </plist>

Answer 1

I got in touch with Apple about this.

Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.