Mobile Device Enrollment Error: "Invalid Profile" or "Invalid Certificate"

Symptoms

When installing an MDM profile on a mobile device, one of the following error messages is displayed:
  • "Invalid Profile"

  • A long message containing "Invalid Certificate"

Explanation

When enrolling a mobile device with Jamf Pro, trust is established to allow encrypted communication. If Jamf Pro fails to establish trust, enrollment fails and an error message with "Invalid Profile" or "Invalid Certificate" is displayed on the device.

There are two scenarios that can cause this issue:
  • The SSL certificate in Jamf Pro is self-signed

  • The CA certificate is not being installed on the device during enrollment

Resolution

If your If your web server certificate is self-signed, there are two ways to resolve the issue:
  • Replace the web server certificate in Jamf Pro with the certificate from Jamf Pro's built-in CA.

  • Install a public certificate from a third-party CA.

If the root CA certificate is not being installed on the device during enrollment, ensure that this option is selected in Jamf Pro.

Replace the Web Server Certificate in Jamf Pro with the Certificate from the JSS's Built-in CA

  1. Log in to Jamf Pro.
  2. Click Settings.
  3. Click System Settings.
  4. Click Apache Tomcat Settings.
  5. Click Edit.
  6. Ensure that Change the SSL certificate used for HTTPS is selected, and then click Next.
  7. Ensure that Generate a certificate from the JSS's built-in CA is selected, and then click Next.
  8. Click Done.
  9. Restart Tomcat.

    See Starting and Stopping Tomcat for instructions.

Ensure that Users Install the CA Certificate During Enrollment

  1. Log in to Jamf Pro.
  2. Click Settings.
  3. Click Global Management.
  4. Click User-Initiated Enrollment.
  5. Click Edit.
  6. On the General pane, ensure that the Skip certificate installation during enrollment checkbox is NOT selected, and then click Save.