What is your MobiControl  server version and build number?  Was it upgraded from older version(s)(13.x or earlier)?   Was it is installed with 2048-bit MobiControl root certificate?

What is the iOS firmware version of your problematic devices?

Did you bind your MobiControl deployment server extension with a paid SSL certificate bought from a trusted CA?

Have you tried adding a new iOS device rule without trust profile option, and used it to enroll a DEP device from scratch, and check if everything including your enterprise app works fine?

This is a fresh install of 14.1.8.1064. Yes, the MobiControl Root cert is 2048 bit. We've seen this problem on every DEP device we've tested (~12) that range from iPhone 6S+, 7+, & 8+ and iOS versions 11.3.x to 12.1. The only certificate bindings we changed were for the deployment server extensions/web console and iOS profile signing...we are using our trusted third-party signed certificate. I haven't tried creating a new device rule though. I didn't see an option when creating the rule about the trust profile option. We unchecked the box in the MC Administration Utility...is there another option in the web console we're overlooking?

Hi Mike,

That is indeed a strange issue with your enterprise application.  I strongly recommend that you contact Apple's Developer Technical Support team to better understand the underlying reason for this issue in your enterprise application.

To answer your question, today there's no way to prevent the trust chain certificates from being installed when a device is enrolled using DEP.  The reason is due to differences in the security requirements between DEP-based and URL-based enrollment.  The former requires the certificates of the trust chain of the "Deployment Server Extensions and Web Console" server certificate to be installed on the device, even if these certificates are trusted 3rd party certificates, whereas the latter does not require these certificates to be installed on the device, if they are trusted 3rd party certificates.

Does your trust profile (whether installed through URL- or DEP-based enrollment) contain the MobiControl root certificate?  Do you know if your issue is due to the presence of the MobiControl root certificate in particular?