Customer wanted to OnBoard company owned devices to do TLS authentication. I have ClearPass and the IAP cluster configured. OnBoard works successfully on Windows laptops, we have it working on 1 Macbook (took 4 hours of trying and didn't really change anything).
Device connects to SSID-Secure (WPA2-Enterprise against AD) enters credentials, then put in pre-provisioning role (OnBoard captive portal), user logs in (against AD) and follows OnBoarding steps.
When it tries to install the certificate we receive "Cannot decrypt encrypted profile" and it does not connect.
I have debugging turned on in the OnBoard plugin, and the application logs do not show anything too strange, except a few re-sends of the phases.
Any ideas why this may be happening? I'm close to calling TAC, but thought I would try this first.