We are facing the same issue while performing SCEP / CMS-based enrollment using OpenSSL. When OpenSSL is operated in FIPS mode (OpenSSL 3.x FIPS provider), CMS EnvelopedData using RSA recipients no longer supports RSAES-PKCS1-v1_5 key transport and instead generates RSAES-OAEP (corresponding to RSA_PKCS1_OAEP_PADDING in OpenSSL) for encrypting the content-encryption key. However, Apple’s MDM / Keychain CMS implementation on both iOS and macOS does not appear to support RSAES-OAEP and fails to import the encrypted PKCS#12 payload. Could you clarify whether there are plans to add support for RSAES-OAEP in CMS EnvelopedData for MDM / Keychain.