Enrollments are failing for all platforms. During the enrollment process, the server logs are showing a failure to sign the CSR, followed by a wipe triggered on the device: 

2017-09-10T10:11:12.45+0100 | 32A9CFAD5515A088 | ERROR | http-nio-10443-exec-3 | com.sparus.nps.ios.agent.V10AgentHandler | getUserIdentityCert: Unable to process request. Could not sign CSR 
2017-09-10T10:11:12.182+0100 | 32A9CFAD5515A088 | INFO | http-nio-10443-exec-5 | com.sparus.nps.ios.agent.V7AgentHandler | unenroll started for device 791 
2017-09-10T10:11:12.249+0100 | 32A9CFAD5515A088 | INFO | http-nio-10443-exec-5 | com.sparus.nps.ios.agent.V7AgentUtils | Processing unenrolldevice. Triggering selective wipe. 
2017-09-10T10:11:12.261+0100 | 32A9CFAD5515A088 | INFO | http-nio-10443-exec-5 | com.zenprise.zdm.core.devicecontroller.internal.AbstractDeviceControllerImpl | Initiating wipe for device ABC12345678910


When reviewing the IIS logs from the CA server issuing certificates, we are seeing a 403.17 error happening when the certs are being requested by XMS:

2017-09-10 10:11:11 10.136.25.104 POST /certsrv/certfnsh.asp - 443 - 10.0.0.1 ZDM-certsrv/1.0 - 403 17 2148204801 78 


 

According to this Microsoft article (https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/21079107-1740-470e-a933-23a45494b8ba.mspx?mfr=true), 403.17 means: 
17 - Client certificate has expired or is not yet valid. 

The previous certificate used by XMS to request client certificates to the CA server was expired. A new certificate had already been imported on XMS, but it hadn't been selected in the PKI Entity configuration on the XMS console.

Once it was changed here, enrollment was possible.

---

Problem Cause

The certificate used by XMS to issue new certificates on the CA was expired (user certificate) and needed to be replaced on the XMS.