Error: "NSURLErrorDomain error -1012" on DEP Enrollment

Unable to enroll devices under Apple Device Enrollment Program (DEP). The following error appears:

 "The configuration for your iPhone could not be downloaded from <organisation>. This operation couldn't be completed. (NSURLErrorDomain error -1012)"

Validate that all SSL certificates have the full chain for the MDM server linked properly.

When validating the SSL certificates for full chain, compare them to List of available trusted root certificates in iOS 8. If you have SSL certificates that are not trusted by Apple, then you will not be able to enroll DEP devices. Normal MDM devices will however work.

To test this you can temporarily disable SSL Enforcement at MDM, Full Wipe and reboot the device. Device should be able to enroll, this validates that issue is with the SSL certificate chain.

If the issue persists:

1. Set ios.mdm.enrollment.installRootCalfRequired to false within ew-config.properties file and test again.

   • This modification forces the MDM server to not send the pki-ca-root.p12 file to Apple.

   • If set to true, DEP device are forced to use this to complete SSL handshakes for MDM servers which will fail if the SSL certificate has been modified.

2. Verify that the IP found in the Apple DEP portal matches with the IP address of the external FQDN hostname.
3. i) Unassign device from DEP portal at deploy.apple.com using device serial number (located on back of device)
   ii) Perform Recovery mode restore via iTunes but do not setup device.?? Recovery mode restore is different from regular restore as it has a critical step where it reaches out to Apple for activation
   iii) Assign device back to MDM server to give device new activation policy before it goes through re-activation

SSL trust cannot be completed between the server and DEP devices or DEP device is unable to reach MDM server specified in activation policy possibly due to MDM server change