Solved: ISE BYOD iOS 11 - Profile Installation Failed

wileong · ‎01-25-2018

ISE - 2.3 Patch

iOS 11.2.2 and iOS 10.x

Tested on the above OS

BYOD flow works until installing client certificate with error of "Profile Installation Failed".

I have tried re-generating ISE Root CA and the problem persist.

Any idea?

Wing Churn

Jason Kunst · ‎01-25-2018

If this is with a self-signed cert if will fail due to apple’s updated security mechanisms. It doesn’t happen with a well know cert

you will need to go to general > about > certificate trust settings after going thru BYOD and manually trust the server cert

then go through the BYOD flow again

View solution in original post

Jason Kunst · ‎01-25-2018

If this is with a self-signed cert if will fail due to apple’s updated security mechanisms. It doesn’t happen with a well know cert

you will need to go to general > about > certificate trust settings after going thru BYOD and manually trust the server cert

then go through the BYOD flow again

Jason Kunst · ‎01-25-2018

You can use the Mobility Deep Dive or Secure Access Wizard flow in dcloud to see a correct config with well known cert working fine.

http://cs.co/selling-ise-demos

wileong · ‎01-26-2018

Tested that and the issue remain. Any other idea?

By the way, Windows endpoint work out just fine.

hslai · ‎01-26-2018

Is the server certificate used for admin and portals self-signed or using an internal enterprise PKI?

Otherwise, it would NOT help to Trust manually installed certificate profiles in iOS - Apple Support

When signed by a well-known CA, please ensure the root CA certificate imported to ISE is self-signed and in the List of available trusted root certificates in iOS 11

wileong · ‎01-27-2018

I am using ISE out-of-the-box self-signed certificate for both admin and portal.

If I understand correctly, even with in-house Microsoft PKI, I will still get the same error? The only way around it will be getting a well-known CA signed certificate?

Thanks

Wing Churn

hslai · ‎01-27-2018

Correct.

With well-known CA, please take care of importing the root certificate that is in the trusted list in the iOS.

wileong · ‎01-27-2018

Thanks for the swift response. By the way, does Android has the same issue?

hslai · ‎01-28-2018

This issue is so far found to be specific to Apple iOS. ISE BYOD on Apple iOS is using Over-the-Air (OTA) provisioning without an app (Network Setup Assistant (NSA) or Supplicant Provisioning Wizard (SPW)) like what we employing on other client OS's.

wileong · ‎01-29-2018

Hi Hsing,

I am facing the same issue for Android too. Is this issue the same as iOS?

By the way, do we have official Apple information that self-signed/internal PKI is not supported?

Thanks

Wing Churn

hslai · ‎01-29-2018

Trust manually installed certificate profiles in iOS - Apple Support is from Apple.

I do not think Android the same issue. I've forwarded you an internal link on Android. The conditions are ISE 2.2+, Android 6+, and the latest NSA for Android at Google play store.

onikaycee · ‎03-08-2018

hi, please i have this issue with my ipad, funny thing is the iphone is fine but ipad keeps bringing this error. how can i solve this erro

wileong · ‎03-12-2018

Managed to get the certificate as per hslai's steps, you will need to manually trust the CA if you are using a self-sign certificate or any certificate NOT from Apple trusted CA.

onikaycee · ‎03-12-2018

I have done this a thousand times and still comes back as failed...i am using ISE 2.2 with Patch 5. Its really frustrating

wileong · ‎03-12-2018

I did receive the same error once even after trusting ISE certificate in iOS. What I did was regenerate ISE Root CA, maybe I mess up the CA during numerous testing.