Thanks, here are some examples of certificate method not working:
The new kindle fires with the Silk browser won't register the certificate way. Something with the Silk Browser must have changed from the older Fire devices which did work the certificate way.
I opened a case with TAC and they recommended downloading Google Chrome instead.
Occasionally an android will ask for a storage credential password as part of the process. The user inputs their device pin, but it doesn't work, and the user is unaware of what the storage credential would be, says they never set one.
Another example is a windows phone 8, the certificate way isn't supported b/c something with the Windows software needing an update if I remember correctly.
With not maintaining the user devices, since it's BYOD, sometimes we don't have a clue what the device has been thru :) So we kind of use the alternate method as a catch all for those devices that can't be traditionally onboarded certificate way.