Hey guys, could use some assistance.

I use Manage Engine MDM.

My setup is

1. Offline RootCA
2. Domain joined intCA signed by root
3. SCEP server on a separate box, using AD CS

I am in the process of creating an NDES/SCEP for our mac devices and ipads. I got this working.

1. Device on IT vlan
2. Run profile in MDM
3. Profile installs, device gets certificate.

I noticed the next day the VPN profile was gone, and the the certificate was gone as well. I look in the MDM logs and see "ndes server not reachable"

I go back to the device and see i left it on the guest network, which has no access to the ndes server.

So my guess here is the device checked in with the MDM, couldn't reach ndes and just failed? I don't know why it tried to reinstall this profile as nothing changed. So I repushed the profile and it caused the device to get a brand new cert, rather then using the one it had.

This is where im stuck. This seems like a pretty big issue i don't know how to solve. We have some remote employees, and its sounding like SCEP/NDES needs to be accessed from the public internet. Otherwise when they are home, they will lose their SCEP, their VPN and then get a brand new cert if i get them reconnected.

Can someone give me some times? Maybe i missed something? Any advice?