Prior to this issue we have successfully enrolled 400 odd iPads using either method.
On the iPad, go to correct ios enroll url, enter AD credentials, install the trust certificate after which the iPad is immediately redirected to the enrollment login page. The trust cert installs correctly but cannot go further.
I tried plugging into Apple Configurator (last resort -_-) v1.5, and tried to install a downloaded trust cert and enrollment profile manually, in that order. Again the trust cert installs fine, but get the error of "Profile Installation Failed - Invalid Profile'.
Any idea's why this iPad is different? No restrictions or other settings on that I could see that would impact. Checked iPad date and time settings.
We've been seeing something similar - https://jamfnation.jamfsoftware.com/discussion.html?id=10633 and haven't been able to pin it down, but we tend to find that after restarting the Tomcat service the devices have a higher chance of enrolling.
During JumpStarts I get things like this a lot. This is what I usually check:
, you already have devices! Recreating the CA may cause ALL of your devices to not communicate any longer and would require to re-enroll all of your devices.
We had the same problems since we upgraded to JSS version 9 and the solution for this was to remove the URL for "JSS URL for Enrollment Using Built-in SCEP and iPCU" under '/Settings/Global Settings/JSS URL'. Here you can point to a special URL if using iPCU or an Built-In SCEP Server which obviously is configured automatically when setting up the JSS URL for all other devices (OSX clients).
Removing this URL solved all my problems with iOS enrollment via Apple Configurator, User-initiated or OTA invitations wether it was an iPod/iPad or AppleTV. As mentioned by @justinrummel, be careful with removing or redoing the Mobile Device Enrollment Profile....really could end up in sh*** loads of work.
Hope that helps.