Android: Certificate enrollment fails permanently when CERT_INSTALL delegation is not yet available

[getvictor]

Android agent 1.3.0

---

Actual behavior

After a fresh MDM enrollment, the Android agent immediately attempts certificate enrollment. The AMAPI policy grants the app CERT_INSTALL delegated scope, but this delegation is applied asynchronously and may not be available by the time the app runs. When the app calls DevicePolicyManager.installKeyPair(null, ...) before the delegation is active, Android throws:

java.lang.SecurityException: Calling identity is not authorized

To fix

1. Gate the entire enrollment flow on delegation availability.

2. Add a defensive delegation check in AndroidCertificateInstaller.

3. Improve failure messages.

Steps to reproduce

These steps:

• Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
• Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.

1. Set up a certificate template.
2. Enroll a new Android device using manual enrollment.
3. Wait for cert to be requested (you may see this error in the app)
4. If not, try unenrolling, restarting device, and enrolling again. (Make sure your CA allows certs with the same CN. Maybe: scepserver -depot depot -port 8088 -challenge=bozo --allowrenew 0