We have a work managed Activesync profile that uses certificates for authentication in Gmail. All of the devices that use this profile are located in one Organizational Group. If I enroll a device in this OG with just the Activesync profile assigned to the OG, it works just fine.
I have another profile created for VPN that also uses certificates for authentication. As soon as I assign the VPN profile email stops working. I get a message in Gmail saying “Cannot access certificate”.
This happens on Samsung devices. I haven't tried others.
This all worked with legacy profiles and certificate payloads. Is there some way to make this work in an Android for Work environment?

I'm still doing a bit of testing to see if it's the certificate payload that is the problem.