Enrollment of an iOS5 device fails to install the MDM Profile.
By default, IIS 7/7.5 security is too restrictive to permit iOS5 devices to enroll via SCEP.
With the out-of-the-box settings enrollment will fail with the following error in the Application event log:
Log Name: Application
Event ID: 11
Task Category: None
The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.
The IIS logs will show something similar to the following line when the iOS5 device attempts to send its certificate enrollment to the NDES server:
2010-11-04 12:43:38 10.28.40.27 GET /certsrv/mscep/mscep.dll
operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJGSIb3DQEHAaCAJIAEggSTMIAG%0 . . . . . EMPlcwhmd8c1XAAAAAAAAA%3D%3D%0A 80 - 10.188.117.101 Settings/1.0+CFNetwork/467.12+Darwin/10.3.1 404 15 0 812
This is a 404.15 (Request Filtering: Denied because query string too long) error and it means that the amount of data being
sent in the HTTP URL is larger than what is allowed by default. In the scenario above, the iPad was sending a string over 2700 characters,
but the default size allowed by the request filtering is 1024. This is so in order to mitigate against buffer overrun attacks.
To change the value you will use the following IIS appcmd.exe command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"3072" /commit:apphost
Symantec Mobile Management 7.1 SP1
Windows 2008 R2