For some time we've been dealing with this particular issue:
By chance someone was also dealing with the problem but a lot more persistent n finding out the cause. Here is the blog post on that:
My feature request to Jamf is a simple one, please follow Apple's recommendation when evaluating the device certificate for DEP enrollment:
WARNING: When device certificates signed “Apple iPhone Device CA” are evaluated their validity dates should be ignored.
Other MDM vendors do not suffer from this. It's quite frustrating when I hear from other Mac admins who are able to do DEP enrollment through the command line without a problem with their commercial tools but I can't because Jamf isn't following Apple's guidance on the matter.
The workflow this would allow is to deal with 1) devices that that are added to DEP post-purchase before an organization takes advantage of DEP or 2) devices that need to get re-enrolled through DEP without a wipe/reinstall of the OS.
I'm hoping that Jamf can make this change. Because I'm not sure whether Jamf considers this a bug or a potential feature request I'm submitting it here but also going to re-open my ticket on this matter.
As of Jamf Pro 10.15 we no longer check for the validity date of the “Apple iPhone Device CA” certificates.