For MDM-SCEP enrollment with Certificate Enrollment Gateway,  Entrust Certificate Authority must allow server-generated verification and nonrepudiation keys.

To allow server-generated verification and nonrepudiation keys

1. Edit the entmgr.ini settings file.
2. Set the following contents. 
   [policy]

   allowServerGenVerCert=true

   allowServerGenNonRepudCert=true
3. Save the changes.