Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wessnitzer
New Contributor II

Created on ‎11-06-2025 03:43 AM Edited on ‎11-06-2025 03:48 AM

Cannot deploy SCEP certificate to Android via Intune

Hello, for the last two weeks I have been trying to connect FCEMS (7.4.4) to Intune to deploy ztna certificate to Android devices (Samsung S25, Android 16, work profile). I have ran into a brick wall of device being stuck in „MDM Deployment Status Pending“ and the intune polocy to deploy SCEP certificate having error without any further details.

 

I have been following this guide Provisioning ZTNA certificates to FortiClient mobile using Intune | FortiClient 7.4.0 | Fortinet Doc...

I walked through it multiple times with the same result. Maybe I am missing something? Can someone please help, if you have such setup in working order? :)

 

I have configured the app with correct permisisons in intune and set up MDM integration in FCEMS.

Wessnitzer_0-1762429320307.png

 

Have user with correct licences.

In intune app configuration policies have set up:

Go to Apps > App configuration policies. Create a new policy.

  1. Add key-value pairs. The intune_device_id key is mandatory. All other keys are optional. Intune supports the following app configuration keys for FortiClient mobile. The table indicates which keys apply for Android and for iOS:

So the only config i put in was device ID like this (I am using invitation codes so I am not filling ems server od ip)

Wessnitzer_1-1762429320308.png

 

The internal certificates were uploaded to the Android Forticlient, I had no way of importing them manually, so I created new policies in Intune to import those – this was successful.

After registering the Android Forticlient I see this in FCEMS

Wessnitzer_2-1762429320309.png

 

 

Here it is stuck forever, because in Intune, the EMS ROOT CA and SCEP CA are deployed correctly, but SCEP CERT is not.

Wessnitzer_3-1762429320310.png

 

Clicking on the policy displays no error.

I have looked what exactly is in the policy

Wessnitzer_4-1762429320319.png

 

There is link to SCEP server URLs. When I try to open the URL from the work profile of the Android device, it works – ie. It says „failed to decode scep request: missing operation“ which should be fine because I am just opening it in browser at this point and not supplying any real request.

Page display as signed, connection is secured, certificate trusted  (SCEP CA)

So from what it looks, the Intune part is OK, the profile gets deployed, the phone can connect to SCEP server in there, but then something fails after connection to *FCEMS*:4001/Default/scep

 

FCEMS log displays nothing about this, only that MDM profile was provisioned two days ago. Althrough I have enabled debug logging just about hour back, so maybe later something will appear…

 

Communication from phone to fcems on port 4001 is working - this is whole log of all communication from phone to fcems, there is nothing else that is blocked.

 

log.png

 

Could someone please help with this issue?
Thank you
Regards
Martin 

Labels:
196
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎11-09-2025 09:13 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
148
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎11-11-2025 10:44 PM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
123
Jean-Philippe_P
Moderator
Moderator

Created on ‎11-18-2025 01:48 AM

Hello Wessnitzer,

 

I found this solution. Can you tell us if it helps, please?

 

To troubleshoot the issue of the device being stuck in "MDM Deployment Status Pending" and the SCEP certificate deployment error, follow these steps:

  1. Verify Intune Configuration:

    • Ensure that the app configuration policy in Intune is correctly set up with the necessary key-value pairs, especially the intune_device_id.
    • Double-check that the permissions for the app in Intune are correctly configured.

  2. Check EMS Configuration:

    • Confirm that the EMS is properly integrated with Intune. Review the steps in the guide to ensure no steps were missed.
    • Verify that the EMS server is reachable from the Android device and that the correct EMS server URL is used.

  3. SCEP Configuration:

    • Ensure that the SCEP server URL is correctly configured in the Intune policy.
    • Check that the SCEP server is accessible from the Android device and that no network issues are blocking the connection.

  4. Logs and Debugging:

    • Enable detailed logging on both EMS and the Android device to capture more information about the error.
    • Review the logs for any error messages or warnings that could provide more insight into the issue.

  5. Certificate Deployment:

    • Verify that the EMS root CA and SCEP CA are correctly deployed and trusted on the Android device.
    • Ensure that the SCEP certificate request is correctly formatted and that the SCEP server is processing requests as expected.

  6. Network and Firewall: Check that there are no firewall rules or network configurations blocking communication between the Android device and the EMS server on port 4001.

  7. Re-enrollment: As a last resort, try re-enrolling the Android device in Intune and EMS to see if the issue persists.

If the issue continues, consider reaching out to Fortinet support for further assistance, providing them with the detailed logs and configuration settings for a more in-depth analysis.

Regards,
Jean-Philippe - Fortinet Community Team
72
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.