I have the same issue. Most OAuth2 provider requires client_secret for requesting an access token. By setting token-url=https://my.mdm.server.app/token and implementing the token request logic with adding client_secret in my MDM server, it would be possible to continue the enrollment flow. However it is different as is described in the figure in the guide. How can we implement it??

I also encountered the same issue. It seems to be fixed on iOS 17 beta. (I don't have iOS 16 device, so I cant check it :) Some application framework raises an error on receiving pkcs7 body with application/x-www-form-urlencoded header, and we would have to handle it by monkey-patching the web framework. For example Ruby on Rails raises error and we can avoid it by monkey-patching Rack with middleware like this class FixContentTypeMiddleware def initialize(app) @app = app end def call(env) if env['REQUEST_PATH'] == '/mdm-byod/enroll' # iOS 15 is buggy. It sends Content-Type: application/x-www-form-urlencoded # and Rack raises errors Invalid query parameters: invalid %-encoding. if env['CONTENT_TYPE'] == 'application/x-www-form-urlencoded' # just avoid it by rewriting Content-Type env['CONTENT_TYPE'] = 'application/pkcs7-signature' end end @app.call(env) end end