Looks like everything can be found here https://github.com/apple/device-management/tree/release

"make sure the server specified in the EnrollmentProfileURL provides a complete certificate chain, not just a leaf certificate" it does "Also, make sure that AnchorCertificateAssetReferences is correct. AnchorCertificateAssetReferences is a list of pinned certificates. If AnchorCertificateAssetReferences contains any entries, the server's certificate must chain up to one of those referenced certificates." I have tested this by including the leaf, intermediate, and root certficates individually and together (3 different assets included in the anchor cert list). It still is not working. BTW, the server cert is chained to a trusted CA (as far as I know). leaf is signed by the following intermediate: CN = Thawte TLS RSA CA G1 OU = www.digicert.com O = DigiCert Inc C = US and the intermediate is signed by the following root CA which is self signed root and should be trusted (unless there is something I don't know): CN = DigiCert Global Root G2 OU = www.digicert.com O = DigiCert Inc C = US In any event, even if any of the certs are not trusted, including them in the anchor cert list should implicitly trust them. I've been able to enroll on my local Windows IIS deployment with a self signed root/intermediate/leaf with no problem by including them in the anchor list.

I'm seeing this as well in the past 48 hours with multiple apps. It happened with Google chrome a couple of days ago, but after 24 hours, the app installed. I'm now seeing it with a number of other apps including Google Maps, Microsoft Excel, AccuLynx Field Roofing, Microsoft Outlook.