We do OTA MDM management, and during the SCEP portion, we started getting failures on iOS 11. After investigation, it appears that iOS 11 is *not* encoding the "+" or "/" characters that show up in the "message" field of a PKIOperation request. This seems to be incorrect - since, the last paragraph of section 4.1 of the SCEP specification (https://www.ietf.org/id/draft-gutmann-scep-06.txt) states:
When using GET messages to communicate binary data, base64 encoding as specified in [2] MUST be used. The base64 encoded data is distinct from "base64url" and may contain URI reserved characters, thus it MUST be escaped as specified in [8] in addition to being base64 encoded. Finally, the encoded data is inserted into the MESSAGE portion of the HTTP GET request.
The reference "[8]" is to RFC 2396 (https://tools.ietf.org/html/rfc2396) - and in section 3.4, that reads:
Within a query component, the characters ";", "/", "?", ":", "@", "&", "=", "+", ",", and "$" are reserved.
It seems to me that this is a bug in iOS - but I'm wondering if anyone else has encountered this issue.