Last week I had an issue trying to enroll certificates thru ConfigMgr/Intune via NDES on iOS devices. The enrollment worked like a charm on Windows Phone 8.1 devices.
The error I got in the crp.log file (Certificate Reqistration Point component) was key usage in CSR 160 and challenge 224 do not match
To fix the issue you have to modify the certificate NDES General Purpose certificate template and remove Signature in proof of origin. You will find the property in Extensions
After that iOS devices started appying the certificates.