Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Device profiles with certificates fail to install during Workspace ONE UEM enrollment. A "Profile Installation Failed" error is present on the device.While devices may initially appear to enroll into Workspace ONE UEM successfully, it is later discovered that profile(s) with certificates that were expected to be assigned to the device during enrollment have not been pushed to the device.
The failure of profiles with certificates to install during Workspace ONE enrollment may occur for the following reasons: The devices that are being enrolled are not locked and/or offline.Previous enrollments are ahead in the queue to receive the profile and they have not yet successfully obtained it.
To resolve this issue, determine whether there are earlier enrollments queued for the profile. For all impacted devices (earlier queued enrollments and current attempted enrollments), ensure each device is both: Unlocked (this can be verified within the Workspace ONE UEM Console or on the device itself)Online and communicating with Workspace ONE successfully (this can be verified within the Workspace ONE UEM Console or on the device itself)
As of Workspace ONE UEM Console version 9.1, all profiles with certificates (such as WiFi profiles and VPN profiles) follow a batching logic which involves a number of steps. This is applicable for all device platforms. Once the profile is pushed, an installation command is requested on the device and if it involves a Certificate Authority (CA), a request to generate a new certificate is made to the CA. In order for a certificate profile to be pushed to the device, it needs to be unlocked during that time and communicating with Workspace ONE (requiring the device to be online). If that is not the case, then the status will be marked as on-hold. At this stage, an attempt will be made to push the profile after some time has passed. This process will update the status to queued as the CA response is awaited.After, if the device accepts the command, that status will be updated to pending install and then show as installed. The device scheduler is a component of this process and responsible for making these commands available so that the devices can start receiving the installation request.Note: It should also be noted that if devices are already present in the queue that have the same profile listed in on-hold status, the more recent enrollments will move to the on-hold status (even if the devices are unlocked) as the devices that have been in the queue the longest will receive the profile first and must do so successfully before the more recent enrollments can receive it. This is as intended based on how the batching logic was designed.For additional information on how to solve Workspace ONE enrollment issues, please refer to Troubleshooting common enrollment issues in Workspace ONE.