We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment:
Error: "-26275 error decrypting response payload (mdmclient(SCEP))"
Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use?
Technical Details:
During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL.
We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above.
We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.