Overview

In enterprise environments, secure Wi‑Fi access typically relies on device certificates issued by a central PKI and validated via RADIUS. Silverback fully supports this use case and has long provided a native integration with Microsoft Active Directory Certificate Services (ADCS). With the existing ADCS integration, certificate enrollment is performed using Microsoft’s standard interfaces (DCOM/RPC).

While this integration remains the recommended approach for Microsoft‑based PKI environments, Silverback 26.1 extends its capabilities with SCEP proxy support for Android Enterprise devices. This allows organizations to integrate with PKI infrastructures that expose certificate enrollment exclusively via SCEP, without requiring devices to communicate directly with the certificate authority. 

With the SCEP proxy approach, Silverback acts as an intermediary between the device and the certificate authority, enabling centralized management, consistent security handling, and seamless integration into existing Wi‑Fi (EAP‑TLS) deployment scenarios.

Requirements

• Minimum installed Silverback 26.1
• Minimum Companion Version 26.1.0.11
• Devices must be enrolled via Android Enterprise (Device Owner)

Before you Start

Before configuring the SCEP proxy integration, there are several preparatory steps that are strongly recommended. While none of these steps are strictly mandatory, completing them in advance can significantly reduce troubleshooting effort and help identify potential issues early in the process. These preparatory actions ensure a smoother setup experience and help avoid common pitfalls during SCEP enrollment.

Coordinate with Your PKI Administrator

Before configuring the SCEP proxy integration, it is strongly recommended to align with your PKI administrator and review the required setup together.
Certificate enrollment via SCEP is highly dependent on the configuration of the underlying PKI and Certificate Authority (CA). Parameters such as the SCEP endpoint, challenge configuration, certificate templates, and subject naming must be correctly defined on the CA side before integration in Silverback can succeed. Working together with the PKI administrator ensures that:

• The correct SCEP endpoint is identified and reachable
• Required parameters such as challenge secrets or templates are properly configured
• The CA is prepared to issue certificates that match the intended authentication scenario 

For demonstration purposes, the following example shows a simple SCEP configuration using a Smallstep CA. This illustrates the basic structure and parameters.

Get Ready for Companion Live Logs

During testing and validation of the SCEP enrollment process, it is highly recommended to monitor the Companion logs in real time. The certificate enrollment workflow involves multiple steps, such as CSR generation, communication with the SCEP endpoint, and certificate installation, which are best observed directly on the device. Reviewing live logs significantly simplifies troubleshooting and helps identify issues quickly. To enable live log monitoring:

• Install ADB (Android Debug Bridge) on your workstation
• Enable Developer Options on the Android Enterprise device
• Activate USB debugging
• Connect the device to your workstation
• Run adb logcat -s "SilverbackMDM:I"

You can then stream the Companion logs in real time to observe the complete enrollment process. For detailed instructions on how to set up and view live logs, refer to the following Knowledge Base article: View Live Logs for Companion on Android Enterprise. 

Validate SCEP Endpoint

Before configuring and testing the SCEP integration in Silverback, it is essential to validate the SCEP endpoint independently. To ensure a reliable setup, the validation should ideally be performed from the Silverback server itself. This helps to identify potential network‑related issues, such as firewall restrictions, DNS resolution problems, or missing connectivity to the Certificate Authority. Alternatively, the validation can also be performed from a workstation that has network connectivity to the SCEP endpoint. This approach is useful to verify that the endpoint itself is reachable and functioning correctly, independent of the MDM environment. The step is to verify the SCEP endpoint behavior by executing standard SCEP operations, as these operations can be tested using tools such as Postman or any other HTTP client capable of performing API requests. Testing the endpoint in this way allows you to confirm that the Certificate Authority responds correctly before integrating it into Silverback.

• Open Postman or any alternative tool that can execute API Calls 
• Now execute the GetCACert API call against your individual SCEP Endpoint
  • https://pki.imagoverum.com/scep/scep?operation=GetCACert
  • The response should look like this:

• Now execute the GetCACaps API call against your individual SCEP Endpoin
  • https://pki.imagoverum.com/scep/scep?operation=GetCACaps
  • The response should look like this:

Create your SCEP Profile

After validating the SCEP endpoint and completing the preparatory steps, the next step is to create a SCEP profile in the Silverback Management Console.
The SCEP profile defines how certificates are requested, processed, and delivered to devices. It contains all required parameters from the Certificate Authority, such as the SCEP endpoint, challenge configuration, and certificate identity settings. This configuration forms the foundation for certificate‑based authentication scenarios and is later referenced in Wi‑Fi profiles to enable EAP‑TLS authentication on Android Enterprise devices.

• Navigate to your Silverback Management Console
• Login as an Administrator
• Select Admin and navigate to SCEP
• Press New SCEP Profile
• Now press save and review the minimum required fields:
  • Name
  • Endpoint URL
  • Challenge
• Enter as Name e.g. Smallstep CA
• Enter your Endpoint URL
  • https://pki.imagoverum.com/scep/scep (e.g. for smallstep)
  • https://pki.imagoverum.com/certsrv/mscep/mscep.dll (e.g. Microsoft NDES)
  • https://pki.imagoverum.com/ejbca/publicweb/apply/scep/wifi-scep/pkiclient.exe (e.g. for EJBCA)
• Enter your Challenge
• Before pressing save, you may need to configure additional settings, as highlighted below.

Configure additional settings

Additional settings, such as certificate identity, certificate templates, and cryptographic parameters—can be configured based on the requirements of your environment and the intended authentication use case. The table below provides an overview of all available configuration options, including examples and descriptions to support the setup process.

• Configure additional settings: 

• Press Save

Review Data

After saving the SCEP profile, Silverback will automatically attempt to retrieve information from the configured SCEP endpoint. To verify that the setup is correct, press edit on your SCEP profile and review the CA Data section. If the configuration and connectivity are working as expected, you should see information similar to the following:

Create a new Wi-Fi Configuration

After successfully creating and validating the SCEP profile, the next step is to configure a Wi‑Fi profile that uses the SCEP Profile for issuing certificates for authentication.

Create a new Tag

• Navigate to Tags and press New Tag
• Enter a name, e.g. EAP-TLS Wi-Fi
• Enable the Profile Feature
• Enable at least one target Device Type, e.g. Android and/or Samsung Knox
• Press Save

Create a new Wi-Fi Profile

• Navigate to Profile
• Select Wi-Fi
• Press New Wi-Fi profile
• Enable Wi-Fi Settings
• Enter your SSID
• Select as Security Type WPA/WPA2/WPA3 Enterprise
• Select your required EAP Method

Configure WPA Enterprise Settings

• Now configure your additional and required WPA Enterprise Settings

• Select SCEP Certificate as Certificate Type
• Select your recently created SCEP Profile
• Press Save
• Confirm with Yes

Deploy and Review 

After configuring the SCEP profile and Wi‑Fi settings, the final step is to deploy the configuration to a test device and validate the end‑to‑end enrollment process. During deployment, the device will automatically:

• Receive the Wi‑Fi profile  
• Trigger the SCEP enrollment process  
• Request and install the certificate  
• Apply the Wi‑Fi configuration using EAP‑TLS  

This step verifies that all components—network connectivity, SCEP configuration, and Wi‑Fi settings—are working together as expected. In the following sections, you will assign the configuration to a device, monitor the profile installation, and validate the certificate enrollment directly on the device.

Assign the Tag

As usual, you have multiple options to assign the Tag. You can either navigate back to Definition tab inside the Tag and press the Associated Devices button to Attach More Devices or you can navigate to the Devices tab and press the Tag button in the Actions column. After you verified the Profile with one or more test devices, you can also enable the Auto Population for the Tag. For additional information, please refer to Tags Guide Part I: Create and Deploy. For demonstration purposes, we will go to the Devices tab and manually assign the Tag to the test device

Review Profile Installation

After assigning the Tag to a device, the next step is to verify that the profile is successfully applied and that the SCEP enrollment process is triggered as expected. At this stage, Silverback sends the configured Wi‑Fi profile to the device, which initiates the certificate enrollment and applies the network configuration. Monitoring the profile installation allows you to quickly identify whether the deployment was successful or if any issues occurred during the process. In the following steps, you will refresh the device state, review the profile installation status, and analyze potential errors if the configuration cannot be applied.

Refresh the Device

Once the tag has been assigned, you can press Refresh from the device overview. When the device is online and will contact the Server, you should see an Install Profile request type containing a Privileges Profile.

In case something is going wrong with the Profile Installation, the Status is showing an Error and you can click on the error chain and might see something like this: 

Network SSID: "Straight Outta Office". Can't install network due to invalid config. Reason: ADD_WIFI_CONFIG_FAILURE

This typically doesn't mean that the certficiate also failed, so it's now time to review the Companion Logs

Review Companion Logs

At this stage, you should already have ADB installed and the device connected with USB debugging enabled, as described in the Before You Start section. Reviewing the Companion logs in real time is the most effective way to validate the end‑to‑end SCEP enrollment process and to identify potential issues during deployment. During profile installation, the device performs the following steps:

• Retrieves the CA certificate chain from the SCEP endpoint  
• Requests the SCEP challenge
• Generates a key pair and Certificate Signing Request (CSR)  
• Submits the SCEP request via Silverback  
• Receives and installs the issued certificate  
• Applies the Wi‑Fi configuration using the enrolled certificate  

By monitoring the logs, you can follow this entire process step‑by‑step and quickly determine whether the certificate enrollment and Wi‑Fi configuration are working as expected.

• From your command line, type adb logcat -s "SilverbackMDM:I"
• Review the logs for the Privileges section to see the complete process of receiving the SCEP profile, generating the CSR, and the communication between Silverback and the server to obtain the certificate.

05-19 16:28:41.381 10302 10616 I SilverbackMDM: -> Applying profile: Privileges
05-19 16:28:41.382 10302 10616 I SilverbackMDM: --> Installing wifi networks. Size: 1
05-19 16:28:41.431 10302 10616 I SilverbackMDM: --> SCEP: Starting enrollment for WiFi SSID=Wi-Fi SSID, ScepConfigurationId=3, subject=CN=sebastian.sziegel%40m42cloud.eu, configHash=-961207588
05-19 16:28:41.433 10302 10616 I SilverbackMDM: SCEP_SERVICE: Fetching CA certificate chain from /scep/ca endpoint (ScepConfigurationId=3)
05-19 16:28:41.829 10302 10616 I SilverbackMDM: SCEP_SERVICE: CA cert chain received (3148 chars)
05-19 16:28:41.832 10302 10616 I SilverbackMDM: SCEP_SERVICE: Fetching SCEP challenge from /scep/challenge endpoint (ScepConfigurationId=3)
05-19 16:28:42.253 10302 10616 I SilverbackMDM: SCEP_SERVICE: SCEP challenge received
05-19 16:28:42.255 10302 10616 I SilverbackMDM: SCEP_SERVICE: Generating CSR (keyLength=2048, hasChallenge=true)
05-19 16:28:42.482 10302 10616 I SilverbackMDM: SCEP_SERVICE: CSR generated successfully
05-19 16:28:42.485 10302 10616 I SilverbackMDM: SCEP_SERVICE: Parsed 2 CA certificate(s) from chain
05-19 16:28:42.485 10302 10616 I SilverbackMDM: SCEP_SERVICE: Selected encryption cert: CN=Example Intermediate CA
05-19 16:28:42.552 10302 10616 I SilverbackMDM: SCEP_SERVICE: SCEP PKCSReq message built successfully (3468 chars Base64)
05-19 16:28:42.553 10302 10616 I SilverbackMDM: SCEP_SERVICE: Submitting SCEP request to backend (ScepConfigurationId=3)
05-19 16:28:42.902 10302 10616 I SilverbackMDM: SCEP_SERVICE: SCEP request accepted. EventId=5cb165a0-8abe-4e15-b6b7-5d1250019eb3
05-19 16:28:42.904 10302 10616 I SilverbackMDM: SCEP_SERVICE: Starting to poll for certificate (eventId=5cb165a0-8abe-4e15-b6b7-5d1250019eb3, interval=3000ms)
05-19 16:28:45.908 10302 10616 I SilverbackMDM: SCEP_SERVICE: Certificate poll attempt 1
05-19 16:28:46.329 10302 10616 I SilverbackMDM: SCEP_SERVICE: Certificate received successfully (6304 chars)
05-19 16:28:46.333 10302 10616 I SilverbackMDM: --> SCEP: Enrollment successful for ScepConfigurationId=3. Parsing CertRep...
05-19 16:28:46.406 10302 10616 I SilverbackMDM: --> SCEP: CertRep pkiStatus=0, failInfo=null (ScepConfigurationId=3)
05-19 16:28:46.407 10302 10616 I SilverbackMDM: --> SCEP: Successfully parsed certificate: CN=sebastian.sziegel%40m42cloud.eu (ScepConfigurationId=3)
05-19 16:28:46.409 10302 10616 I SilverbackMDM: --> SCEP: Credentials persisted for ScepConfigurationId=3, configHash=-961207588
05-19 16:28:46.410 10302 10616 I SilverbackMDM: --> NativeAndroid. Wifi network install: Wi-Fi SSID
05-19 16:28:46.412 10302 10616 I SilverbackMDM: --> Using SCEP credentials for WiFi SSID=Wi-Fi SSID, ScepConfigurationId=3
05-19 16:28:46.532 10302 10616 I SilverbackMDM: --> installKeyPairViaDpm: alias=scep_wifi_3, SSID=Wi-Fi SSID, result=true
05-19 16:28:46.655 10302 10616 I SilverbackMDM: ---> AddNetworkResult: 0. Id: 1
05-19 16:28:46.658 10302 10616 I SilverbackMDM: --> Added network Wi-Fi SSID. Result Id: 1

Review SCEP Logs

In addition to the Companion logs on the device, it is recommended to review the logs or output provided by your Certificate Authority during the SCEP enrollment process. Depending on the PKI solution in use, the available level of detail and log format may vary. Most Certificate Authorities provide some form of visibility into issued certificates, requests, or enrollment events. For example, the following screenshot shows a successful certificate issuance using a Smallstep CA. In this case, a certificate was issued for the subject sebastian.sziegel@m42cloud.eu.

This confirms that:

• The SCEP request was successfully processed by the Certificate Authority  
• The certificate was issued for the correct identity  
• The end-to-end communication between device, Silverback, and the CA is working as expected  

The appearance and structure of this view may differ depending on the PKI solution (e.g. Microsoft NDES, EJBCA, Smallstep), but all implementations should provide a way to verify successful certificate issuance.

Review Certificate

After verifying the SCEP enrollment process in the logs, the final step is to confirm that the certificate has been successfully installed on the device. At this stage, the certificate should already be available in the Android KeyStore and linked to the configured Wi‑Fi profile. Verifying the certificate directly on the device ensures that the enrollment process completed successfully and that the certificate can be used for authentication. In the following steps, you will locate the installed certificate on the device and verify that it matches the expected identity (e.g. subject or user information) and has been properly provisioned by the SCEP configuration.

View Certificate in Companion

• On your Android Enterprise device, launch Companion
• Open the Menu by pressing the hamburger menu on the top left
• Select Profiles
• Press the three dots at the Certificates Profile
• Press Details
• Locate your Certificate that is store in the WiFi Key Store

View Certificate in Android Settings

• Open Settings and navigate to Security & privacy
• Select More security & privacy
• Select Encryption & credentials, followed by User Credentials
• You should see here now some certificates
  • One is the private key, names as scep_wifi_X, where X is the Profile ID in the Silverback Management Console
  • One is the actual certificate
  • One is the CA certificate 

Example Log Scenarios

The following examples show typical SCEP and Wi‑Fi deployment scenarios as reflected in the Companion logs.These examples are intended to help interpret log output and identify the stage at which issues occur during the enrollment and configuration process.

Regular Compliance Check

Description: The system verifies that all required Wi‑Fi networks and associated certificates are present and valid.

Key Indicators:

• Wi‑Fi compliance check started
• All managed networks are present
• Certificates are valid

05-19 14:41:52.519  6031  6478 I SilverbackMDM: --> WiFi Compliance: Starting check
05-19 14:41:52.585  6031  6478 I SilverbackMDM: --> WiFi Compliance: All 1 managed networks are present and SCEP certificates are valid.
05-19 14:41:52.586  6031  6478 I SilverbackMDM: =========> MdmEngine Finished

Automatic Certificate Renewal

Description: The existing certificate is either expired or has reached the configured renewal threshold, triggering automatic re-enrollment.

Key Indicators:

• Certificate marked for renewal
• Previous credentials removed
• New enrollment process started
• New certificate installed successfully

05-19 14:35:51.058  6031  6478 I SilverbackMDM: --> WiFi Compliance: Starting check
05-19 14:35:51.132  6031  6478 I SilverbackMDM: --> WiFi Compliance: SCEP certificate expired or within renewal threshold for ScepConfigurationId=1, SSID=Wi-Fi SSSID (notBefore: Tue May 19 13:50:55 GMT+02:00 2026, notAfter: Wed May 20 13:51:55 GMT+02:00 2026, renewalPct=99%). Marking for re-enrollment.
05-19 14:35:51.133  6031  6478 I SilverbackMDM: --> WiFi Compliance: 1 network(s) need SCEP certificate renewal.
05-19 14:35:51.134  6031  6478 I SilverbackMDM: --> WiFi Compliance: Removing stale SCEP credential for ScepConfigurationId=1 (hashChanged=false, expired/renewal=true)
05-19 14:35:51.135  6031  6478 I SilverbackMDM: SCEP_SERVICE: Fetching CA certificate chain from /scep/ca endpoint (ScepConfigurationId=1)
05-19 14:35:51.527  6031  6478 I SilverbackMDM: SCEP_SERVICE: CA cert chain received (3148 chars)
05-19 14:35:51.532  6031  6478 I SilverbackMDM: SCEP_SERVICE: Fetching SCEP challenge from /scep/challenge endpoint (ScepConfigurationId=1)
05-19 14:35:52.104  6031  6478 I SilverbackMDM: SCEP_SERVICE: SCEP challenge received
05-19 14:35:52.109  6031  6478 I SilverbackMDM: SCEP_SERVICE: Generating CSR (keyLength=4096, hasChallenge=true)
05-19 14:35:52.805  6031  6478 I SilverbackMDM: SCEP_SERVICE: CSR generated successfully
05-19 14:35:52.807  6031  6478 I SilverbackMDM: SCEP_SERVICE: Parsed 2 CA certificate(s) from chain
05-19 14:35:52.807  6031  6478 I SilverbackMDM: SCEP_SERVICE: Selected encryption cert: CN=Example Intermediate CA
05-19 14:35:52.853  6031  6478 I SilverbackMDM: SCEP_SERVICE: SCEP PKCSReq message built successfully (5076 chars Base64)
05-19 14:35:52.854  6031  6478 I SilverbackMDM: SCEP_SERVICE: Submitting SCEP request to backend (ScepConfigurationId=1)
05-19 14:36:03.091  6031  6478 W SilverbackMDM: SCEP_SERVICE: submitScepRequest - SocketTimeoutException: timeout (attempt 1/3)
05-19 14:36:16.057  6031  6478 I SilverbackMDM: SCEP_SERVICE: SCEP request accepted. EventId=1982f98a-469f-4fde-9d89-934fbff90995
05-19 14:36:16.061  6031  6478 I SilverbackMDM: SCEP_SERVICE: Starting to poll for certificate (eventId=1982f98a-469f-4fde-9d89-934fbff90995, interval=3000ms)
05-19 14:36:19.067  6031  6478 I SilverbackMDM: SCEP_SERVICE: Certificate poll attempt 1
05-19 14:36:19.937  6031  6478 I SilverbackMDM: SCEP_SERVICE: Certificate received successfully (7200 chars)
05-19 14:36:19.941  6031  6478 I SilverbackMDM: --> WiFi Compliance: SCEP re-enrollment successful for ScepConfigurationId=1. Parsing CertRep...
05-19 14:36:20.028  6031  6478 I SilverbackMDM: --> SCEP: CertRep pkiStatus=0, failInfo=null (ScepConfigurationId=1)
05-19 14:36:20.029  6031  6478 I SilverbackMDM: --> SCEP: Successfully parsed certificate: CN=540125290299 (ScepConfigurationId=1)
05-19 14:36:20.032  6031  6478 I SilverbackMDM: --> SCEP: Credentials persisted for ScepConfigurationId=1, configHash=-1426745512
05-19 14:36:20.033  6031  6478 I SilverbackMDM: --> NativeAndroid. Wifi network install: Wi-Fi SSSID
05-19 14:36:20.034  6031  6478 I SilverbackMDM: --> Using SCEP credentials for WiFi SSID=Wi-Fi SSSID, ScepConfigurationId=1
05-19 14:36:20.249  6031  6478 I SilverbackMDM: --> installKeyPairViaDpm: alias=scep_wifi_1, SSID=Wi-Fi SSSID, result=true
05-19 14:36:20.418  6031  6478 I SilverbackMDM: ---> AddNetworkResult: 0. Id: 2
05-19 14:36:20.420  6031  6478 I SilverbackMDM: --> WiFi Compliance: Reinstalled SSID=Wi-Fi SSSID with networkId=2
05-19 14:36:20.422  6031  6478 I SilverbackMDM: --> WiFi Compliance: Check completed.
05-19 14:36:20.423  6031  6478 I SilverbackMDM: =========> MdmEngine Finished

Removing Configuration and SCEP Artifacts

Description: The configuration is removed from the device, including all associated Wi‑Fi settings and SCEP‑related credentials.

Key Indicators:

• Privileges Profile removal started  
• SCEP certificates and CA certificates are deleted  
• SCEP key pairs are removed from the Android KeyStore  

Note: This scenario confirms that all managed artifacts are properly cleaned up when the configuration is removed. It ensures that no outdated certificates or Wi‑Fi configurations remain on the device.

05-19 16:20:52.285 10668 12454 I SilverbackMDM: -> Removing profile: Privileges
05-19 16:20:52.286 10668 12454 I SilverbackMDM: --> Removing shortcut: App Store
05-19 16:20:52.288 10668 12454 I SilverbackMDM: --> Removing user WiFi certificates
05-19 16:20:52.289 10668 12454 I SilverbackMDM: --> Removing CA WiFi certificates
05-19 16:20:52.289 10668 12454 I SilverbackMDM: --> Removing SCEP key pairs from Android KeyStore
05-19 16:20:52.369 10668 12454 I SilverbackMDM: --> removeScepKeyPairsViaDpm: alias=scep_wifi_3, removed=true
05-19 16:20:52.369 10668 12454 I SilverbackMDM: --> Removing expired SCEP credentials (keeping valid ones for hash comparison)
05-19 16:20:52.371 10668 12454 I SilverbackMDM: --> Removing managed Wifi networks

Configuration Change and Re‑Enrollment

Description:   A change in the SCEP triggers a re‑enrollment process on the device.

Key Indicators:

• Configuration hash change detected  
• Previous configuration marked as outdated  
• New SCEP enrollment process initiated  
• Certificate re‑issued and installed  
• Wi‑Fi network reconfigured successfully  

Note:  
This behavior ensures that any changes to the SCEP profile are applied to the device. The device detects configuration differences and performs a full re‑enrollment to maintain consistency.

05-19 16:22:14.386 10668 12454 I SilverbackMDM: -> Applying profile: Privileges
05-19 16:22:14.387 10668 12454 I SilverbackMDM: --> Installing wifi networks. Size: 1
05-19 16:22:14.438 10668 12454 I SilverbackMDM: --> SCEP: Config hash changed (stored=1811398850, incoming=1030390584) for ScepConfigurationId=3. Re-enrolling...
05-19 16:22:14.439 10668 12454 I SilverbackMDM: --> SCEP: Starting enrollment for WiFi SSID=Wi-Fi SSID, ScepConfigurationId=3, subject=CN=sebastian.sziegel%40m42cloud.eu, configHash=1030390584
05-19 16:22:14.439 10668 12454 I SilverbackMDM: SCEP_SERVICE: Fetching CA certificate chain from /scep/ca endpoint (ScepConfigurationId=3)
05-19 16:22:14.932 10668 12454 I SilverbackMDM: SCEP_SERVICE: CA cert chain received (3148 chars)
05-19 16:22:14.934 10668 12454 I SilverbackMDM: SCEP_SERVICE: Fetching SCEP challenge from /scep/challenge endpoint (ScepConfigurationId=3)
05-19 16:22:15.488 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP challenge received
05-19 16:22:15.491 10668 12454 I SilverbackMDM: SCEP_SERVICE: Generating CSR (keyLength=2048, hasChallenge=true)
05-19 16:22:15.703 10668 12454 I SilverbackMDM: SCEP_SERVICE: CSR generated successfully
05-19 16:22:15.704 10668 12454 I SilverbackMDM: SCEP_SERVICE: Parsed 2 CA certificate(s) from chain
05-19 16:22:15.705 10668 12454 I SilverbackMDM: SCEP_SERVICE: Selected encryption cert: CN=Example Intermediate CA
05-19 16:22:15.744 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP PKCSReq message built successfully (3468 chars Base64)
05-19 16:22:15.745 10668 12454 I SilverbackMDM: SCEP_SERVICE: Submitting SCEP request to backend (ScepConfigurationId=3)
05-19 16:22:16.130 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP request accepted. EventId=d9bb1c7c-545c-4e07-ac9e-0dea4c40ab81
05-19 16:22:16.132 10668 12454 I SilverbackMDM: SCEP_SERVICE: Starting to poll for certificate (eventId=d9bb1c7c-545c-4e07-ac9e-0dea4c40ab81, interval=3000ms)
05-19 16:22:19.135 10668 12454 I SilverbackMDM: SCEP_SERVICE: Certificate poll attempt 1
05-19 16:22:19.567 10668 12454 I SilverbackMDM: SCEP_SERVICE: Certificate received successfully (6304 chars)
05-19 16:22:19.571 10668 12454 I SilverbackMDM: --> SCEP: Enrollment successful for ScepConfigurationId=3. Parsing CertRep...
05-19 16:22:19.637 10668 12454 I SilverbackMDM: --> SCEP: CertRep pkiStatus=0, failInfo=null (ScepConfigurationId=3)
05-19 16:22:19.639 10668 12454 I SilverbackMDM: --> SCEP: Successfully parsed certificate: CN=sebastian.sziegel%40m42cloud.eu (ScepConfigurationId=3)

Certificate Successfully Enrolled but one Wi‑Fi Configuration Failed

Description: The device successfully obtains a certificate, but the Wi‑Fi configuration fails to install.

Key Indicators:

• Certificate received successfully
• SCEP enrollment completed
• Wi‑Fi installation error (e.g. ADD_WIFI_CONFIG_FAILURE)

Note: This scenario typically indicates an issue with the Wi‑Fi configuration rather than the certificate enrollment process.

05-19 16:14:20.683 10668 12454 I SilverbackMDM: -> Applying profile: Privileges
05-19 16:14:20.683 10668 12454 I SilverbackMDM: --> Installing wifi networks. Size: 2
05-19 16:14:20.740 10668 12454 I SilverbackMDM: --> SCEP: Starting enrollment for WiFi SSID=Wi-Fi SSID, ScepConfigurationId=3, subject=CN=sebastian.sziegel%40m42cloud.eu, configHash=-1977150402
05-19 16:14:20.745 10668 12454 I SilverbackMDM: SCEP_SERVICE: Fetching CA certificate chain from /scep/ca endpoint (ScepConfigurationId=3)
05-19 16:14:21.230 10668 12454 I SilverbackMDM: SCEP_SERVICE: CA cert chain received (3148 chars)
05-19 16:14:21.232 10668 12454 I SilverbackMDM: SCEP_SERVICE: Fetching SCEP challenge from /scep/challenge endpoint (ScepConfigurationId=3)
05-19 16:14:21.700 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP challenge received
05-19 16:14:21.702 10668 12454 I SilverbackMDM: SCEP_SERVICE: Generating CSR (keyLength=2048, hasChallenge=true)
05-19 16:14:21.865 10668 12454 I SilverbackMDM: SCEP_SERVICE: CSR generated successfully
05-19 16:14:21.868 10668 12454 I SilverbackMDM: SCEP_SERVICE: Parsed 2 CA certificate(s) from chain
05-19 16:14:21.868 10668 12454 I SilverbackMDM: SCEP_SERVICE: Selected encryption cert: CN=Example Intermediate CA
05-19 16:14:21.952 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP PKCSReq message built successfully (3468 chars Base64)
05-19 16:14:21.953 10668 12454 I SilverbackMDM: SCEP_SERVICE: Submitting SCEP request to backend (ScepConfigurationId=3)
05-19 16:14:22.329 10668 12454 I SilverbackMDM: SCEP_SERVICE: SCEP request accepted. EventId=15723a5e-f5db-4f15-9239-583f31426db7
05-19 16:14:22.331 10668 12454 I SilverbackMDM: SCEP_SERVICE: Starting to poll for certificate (eventId=15723a5e-f5db-4f15-9239-583f31426db7, interval=3000ms)
05-19 16:14:25.335 10668 12454 I SilverbackMDM: SCEP_SERVICE: Certificate poll attempt 1
05-19 16:14:25.775 10668 12454 I SilverbackMDM: SCEP_SERVICE: Certificate received successfully (6304 chars)
05-19 16:14:25.780 10668 12454 I SilverbackMDM: --> SCEP: Enrollment successful for ScepConfigurationId=3. Parsing CertRep...
05-19 16:14:25.870 10668 12454 I SilverbackMDM: --> SCEP: CertRep pkiStatus=0, failInfo=null (ScepConfigurationId=3)
05-19 16:14:25.871 10668 12454 I SilverbackMDM: --> SCEP: Successfully parsed certificate: CN=sebastian.sziegel%40m42cloud.eu (ScepConfigurationId=3)
05-19 16:14:25.874 10668 12454 I SilverbackMDM: --> SCEP: Credentials persisted for ScepConfigurationId=3, configHash=-1977150402
05-19 16:14:25.875 10668 12454 I SilverbackMDM: --> NativeAndroid. Wifi network install: Straight Outta Office
05-19 16:14:25.880 10668 12454 I SilverbackMDM: ---> AddNetworkResult: 4. Id: -1
05-19 16:14:25.880 10668 12454 E SilverbackMDM: Network SSID: "Straight Outta Office". Can't install network due to invalid config.
05-19 16:14:25.880 10668 12454 E SilverbackMDM: Reason: ADD_WIFI_CONFIG_FAILURE
05-19 16:14:25.881 10668 12454 I SilverbackMDM: --> Added network Straight Outta Office. Result Id: -2
05-19 16:14:25.882 10668 12454 I SilverbackMDM: --> NativeAndroid. Wifi network install: Wi-Fi SSID
05-19 16:14:25.883 10668 12454 I SilverbackMDM: --> Using SCEP credentials for WiFi SSID=Wi-Fi SSID, ScepConfigurationId=3
05-19 16:14:26.013 10668 12454 I SilverbackMDM: --> installKeyPairViaDpm: alias=scep_wifi_3, SSID=Wi-Fi SSID, result=true
05-19 16:14:26.125 10668 12454 I SilverbackMDM: ---> AddNetworkResult: 0. Id: 1
05-19 16:14:26.128 10668 12454 I SilverbackMDM: --> Added network Wi-Fi SSID. Result Id: 1