Skip to main content
Wessnitzer
Wessnitzer
New Member
November 6, 2025
Question

Cannot deploy SCEP certificate to Android via Intune

  • November 6, 2025
  • 5 replies
  • 1660 views

Hello, for the last two weeks I have been trying to connect FCEMS (7.4.4) to Intune to deploy ztna certificate to Android devices (Samsung S25, Android 16, work profile). I have ran into a brick wall of device being stuck in „MDM Deployment Status Pending“ and the intune polocy to deploy SCEP certificate having error without any further details.

 

I have been following this guide Provisioning ZTNA certificates to FortiClient mobile using Intune | FortiClient 7.4.0 | Fortinet Document Library

I walked through it multiple times with the same result. Maybe I am missing something? Can someone please help, if you have such setup in working order? :)

 

I have configured the app with correct permisisons in intune and set up MDM integration in FCEMS.

Wessnitzer_0-1762429320307.png

 

Have user with correct licences.

In intune app configuration policies have set up:

Go to Apps > App configuration policies. Create a new policy.

  1. Add key-value pairs. The intune_device_id key is mandatory. All other keys are optional. Intune supports the following app configuration keys for FortiClient mobile. The table indicates which keys apply for Android and for iOS:

So the only config i put in was device ID like this (I am using invitation codes so I am not filling ems server od ip)

Wessnitzer_1-1762429320308.png

 

The internal certificates were uploaded to the Android Forticlient, I had no way of importing them manually, so I created new policies in Intune to import those – this was successful.

After registering the Android Forticlient I see this in FCEMS

Wessnitzer_2-1762429320309.png

 

 

Here it is stuck forever, because in Intune, the EMS ROOT CA and SCEP CA are deployed correctly, but SCEP CERT is not.

Wessnitzer_3-1762429320310.png

 

Clicking on the policy displays no error.

I have looked what exactly is in the policy

Wessnitzer_4-1762429320319.png

 

There is link to SCEP server URLs. When I try to open the URL from the work profile of the Android device, it works – ie. It says „failed to decode scep request: missing operation“ which should be fine because I am just opening it in browser at this point and not supplying any real request.

Page display as signed, connection is secured, certificate trusted  (SCEP CA)

So from what it looks, the Intune part is OK, the profile gets deployed, the phone can connect to SCEP server in there, but then something fails after connection to *FCEMS*:4001/Default/scep

 

FCEMS log displays nothing about this, only that MDM profile was provisioned two days ago. Althrough I have enabled debug logging just about hour back, so maybe later something will appear…

 

Communication from phone to fcems on port 4001 is working - this is whole log of all communication from phone to fcems, there is nothing else that is blocked.

 

log.png

 

Could someone please help with this issue?
Thank you
Regards
Martin 

5 replies

Anthony_E
Staff
Anthony_E
Staff
November 10, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
November 12, 2025

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    November 18, 2025

    Hello Wessnitzer,

     

    I found this solution. Can you tell us if it helps, please?

     

    To troubleshoot the issue of the device being stuck in "MDM Deployment Status Pending" and the SCEP certificate deployment error, follow these steps:

    1. Verify Intune Configuration:

      • Ensure that the app configuration policy in Intune is correctly set up with the necessary key-value pairs, especially the intune_device_id.
      • Double-check that the permissions for the app in Intune are correctly configured.

    2. Check EMS Configuration:

      • Confirm that the EMS is properly integrated with Intune. Review the steps in the guide to ensure no steps were missed.
      • Verify that the EMS server is reachable from the Android device and that the correct EMS server URL is used.

    3. SCEP Configuration:

      • Ensure that the SCEP server URL is correctly configured in the Intune policy.
      • Check that the SCEP server is accessible from the Android device and that no network issues are blocking the connection.

    4. Logs and Debugging:

      • Enable detailed logging on both EMS and the Android device to capture more information about the error.
      • Review the logs for any error messages or warnings that could provide more insight into the issue.

    5. Certificate Deployment:

      • Verify that the EMS root CA and SCEP CA are correctly deployed and trusted on the Android device.
      • Ensure that the SCEP certificate request is correctly formatted and that the SCEP server is processing requests as expected.

    6. Network and Firewall: Check that there are no firewall rules or network configurations blocking communication between the Android device and the EMS server on port 4001.

    7. Re-enrollment: As a last resort, try re-enrolling the Android device in Intune and EMS to see if the issue persists.

    If the issue continues, consider reaching out to Fortinet support for further assistance, providing them with the detailed logs and configuration settings for a more in-depth analysis.

    Jean-Philippe - Fortinet Community Team
    Ttrnx
    Ttrnx
    New Member
    January 16, 2026

    Hi, I have a similar issue. How did you resolve it?

    Wessnitzer
    WessnitzerAuthor
    New Member
    January 16, 2026

    Hello, Unfortunately I did not resolve it.
    I got stuck, did not found any errors in my setting while walking through the troubleshooting, there was nothing about any certificate problems in ems debug logs or even android Forticlient logs. I have no idea if this is Fortinet or Intune problem. All -CA- certificates are deployed OK, but scet cert is not. There are no network issues either.


    Then I gave up, there were more pressing matters - fortunately none of our customers needs this function atm.
    Kinda hoping this fixes itself by some update in the future or someone smarter than me finds a fix.


    Regards
    Martin

    Ttrnx
    Ttrnx
    New Member
    January 16, 2026

    Hi Wessnitzer,

    Thanks for your reply. I saw your post and wanted to check whether this issue has been resolved. Unfortunately, we are experiencing the exact same problem.

    Additionally, we are facing another issue: exclusion lists in the FortiClient EMS Web Filter profile do not seem to work. The overall web filtering functionality works as expected, but when we add exclusion entries (either allow or block), they are not applied. Have you experienced it aslo or not ? If yes how you resolved it ?

    Regards
    Sardor

    nbegorre
    nbegorre
    New Member
    March 13, 2026

    I had the same issue, and on my side it was the port 4001 and 4002 of my forticlient EMS which was not accessible (Required services and ports | FortiClient 7.4.5 | Fortinet Document Library)

    Terms & ConditionsAccessibility statement