On iOS, the enrollment fails during the second profile installation - The error is "Profile installation failed: profile failed to install"
On Android, you see "Access to your company network is not available"

Enrolling directly against the Gateway (MAM) works fine.

The server-side logs are showing:
 | | INFO | http-nio-10080-exec-8 | com.sparus.nps.ios.agent.V9AgentUtils | Client has not supplied identity. Sending 417.

Android Secure Hub logs are showing:
"Secure Hub","ERROR     ( 2)","AuthManagerMDM:No access to company network msg displayed : StatusCode  500 while MDM authentication",4854,6780,Secure Hub,  ,  ,0

iOS Secure Hub logs are showing:
<MDM>,ERROR (2),__48-[X1MDMEnrollFlowController createSecureSession]_block_invoke,"request to  resulted in httpResponse 417",Active,com.apple.main-thread,403,Secure Hub,/jenkins/workspace/iOS_X1_Dist_X1_Rel_10.4.0/Me@Work/Me@Work/Controller/X1MDMEnrollFlowController.m,1215

Traces will also show HTTP 417 errors from the XenMobile server.

Enabling Client Authentication under SSL Parameters on the LB vServer for MDM on port 443 fixed the issue.
Also make sure that Client Certificate is set to Mandatory for Client Certificate based Authentication.

NOTE: If you see 403 errors in a trace to the XenMobile server after setting the above, set Client Certificate to Optional as shown in the screenshot below.



 

---

Problem Cause

MDM enrollment were failing because Client Authentication was disabled under the SSL Parameters for the MDM LB vServer on port 443.
This is causing the backend XenMobile server to fail to recognize the client's identity during enrollment, and sending an HTTP 417 Selective Wipe back to client, which terminates the enrollment process, followed by a selective wipe happening on the Secure Hub client.
 

If Enrollment fails as well as profile refresh, and you see an HTTP 417 errors in traces to the XenMobile server, then this indicates there is a configuration issue with the SSL port 443 Vserver.