In one of my previous blogs I explained how to setup the Apple Push certifate (APNs Certificate). In this blog I will show how you can renew your APNs Certificate. It is important that you renew your APNs Certificate before it expires, if you do not do this then you will have issues enrolling new devices (see pic. 1) and managing existing devices.
Picture 1: APNs certificate error during enrollment.
This is because Intune uses the Apple Push notification Service to communicate with enrolled devices. To use the Apple Push Notification Service, Intune requires a valid APNs certificate.
Validity APNs certificate
An APNs certificate is valid for one year. According to this Microsoft blogpost you will recieve an email on the Apple ID used for creating the APNs certificate (30, 10 and 1 day prior to expiring), but I did not recieve these emails for all my accounts. The Expiration Date of the certificate can also be checked in the Apple Push Certificates Portal
Another way to view the validity of the certificate is by checking the MEM admin center. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. In this overview you can see the current Status, amount of days until expiration and expiration date.
Validate certificates
Before you start renewal you need to check if you’re using the correct accounts and certificates. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. Make a note of the Subject ID and Serial number.
Open a new browsertab and go to the Apple Push Certificates Portal and login with the same Apple ID used to create the APNs Certificate. Make a note of the UID and Serial number.
Compare the notes you made about the Serial Number and the Subject ID/UID. The Serial number of the APN certificate will change after each renewal. The Subject ID in Intune and the UID in the Apple Push Certicates portal does not change and need to be the same. The UID is unique for every certificate created in the portal. If you try to upload a certificate with a different UID (e.g. when you create a new certificate or use a wrong certificate instead of renewing an existing) you will get a Topic ID error.
Topic ID is the last section after external of the Subject ID or UID (see bold part below).
com.apple.mgmt.External.89a059ad-fe3b-4093-b1e3-560292643c43
This unique identification string is also part of the common name of the PEM certificate issued by the Apple Push Certificates Portal.
Reassignment APNs Certificate
As mentioned earlier, to renew your MDM push certificate you must use the same Apple Third party certificate each time. Therefore, it is important that the certificate is created with a generic account. If this has not happened and you want to change this, there is a possibility to reassign the certificate. To do this you need to contact Apple Deployment Programs Support and open a ticket. After a verification process, the certificate will be moved to the proper account. It will then be visible in the Certificates portal and can be used to renew your MDM push certificate.
Renewal
It’s important that you renew your APNs certificate and you do not create a new APNs certificate. Also you need to renew the expired certificate within the 30 day grace period, otherwise you will get a new certificate. If you use a new certificate you will need to re-enroll all your existing iOS devices. Also you should always use the same apple id to renew the certificate as you used to create the certificate. It’s not possible to change the Apple ID used, but Apple may be able to associate a new Apple ID with an existing certificate.
To renew a certificate you need to perform the following steps:
1. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. Select “Download your CSR” and save the file.
2. Open a new browsertab and go to the Apple Push Certificates Portal and login with the same Apple ID used to create the APNs Certificate. Select “Renew” to renew the certificate.
3. Press “Choose File” to select the CSR file you downloaded at step 1. Press “Upload” to continue.
4. Press “Download” to download and save the renewed APNs Certificate (*.PEM file).
5. Select the MEM admin center tab in your browser. Enter the Apple ID used to renew the certificate and select the renewed APNs Certificate. Press “Upload” to finish renewal
6. The MDM push certificate has now been updated. The status, days to expiration and expiration date are now updated.
Sources
Updates
31-05-2021 Added Validate Certificates and Sources Section.
After doing this the devices still dont renew and have the same error.
Hi John
Did you renew the APNs certificate in time and with the correct account?
regards, Aad
Thanks for this tutorial tutoriel 😉