Intune and the APNs certificate: FAQ and common issues

Published 10-30-2018 11:34 AM 33.6K Views

First published on TechNet on Jun 11, 2018

Hello everyone,
Here in the Intune support organization, we often get questions relating to the Apple MDM push certificate – also known as the Apple Push Notification service (APNs) certificate - and how it plays a role in managing iOS devices. We have a lot of great documentation on this, for example our article here , but there are many other general questions and issues that don’t necessarily fall into any specific category. That’s where this post comes in. We’ve looked at the support cases we get and talked to a few of our Intune support engineers, and the result is a general Intune/APNs FAQ which we have below. Whether you’re new to Intune or a veteran, there should be something in here that will help just about everyone.


1. Why do I need to configure an APNs certificate in Intune?
a. Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, device could not be enrolled or managed by Intune.


2. How long is the APNs certificate valid?
a. By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.


3. What happens if I don’t renew my APNs certificate before it expires?
a. If your APNs certificate expires, enrollment of new iOS devices will fail and you will experience problems managing existing iOS devices until a new APNs certificate is obtained.


IMPORTANT Please be aware that if you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to un-enroll and re-enroll all existing, Intune-managed iOS devices. Steps to un-enroll an iOS device can be found here.


4. Do I need to renew my APNs certificate or can I just get a new one?
a. It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to un-enroll and re-enroll all of your existing iOS devices. Steps to un-enroll an iOS device can be found here.


5. How do I know if my APNs certificate is about to expire?
a. Apple should send an email notification to the Apple ID that requested the certificate at 30 days, 10 days and 1 day prior to the expiration date. Details about the expiration date can also be viewed from the Intune Blade by going to Device Enrollment –> Apple Enrollment –> Apple MDM Push certificate and viewing the value for Expiration .



6. How do I renew my APNs certificate?
a. If you have a standalone Intune environment, instructions can be found here . If your Intune environment is integrated with Configuration Manager (hybrid), you can find instructions here


7. If I have multiple APNS certificates, how can I tell which certificate I need to renew in the Apple Push Certificates Portal ?
a. On an enrolled iOS device, go to Settings -> General -> Device Management -> Management Profile -> More Details -> Management Profile . Under Topic you will see a unique GUID that you can match up to the correct certificate in the Apple Push Certificates Portal . Here is an example from a test device:


8. How can I change the Apple ID used for my existing APNs certificate?
a. Once a certificate has been requested using an Apple ID, you cannot use a different Apple ID to renew that same cert. However, Apple may be able to associate a new Apple ID with your existing certificate, which can then be used to renew it. Contact Apple support for more information.


Here are a couple problems/solutions we also see many people run into:


When attempting to upload the request file as part of certificate renewal, nothing happens when clicking the Upload button.

First try using another browser when renewing the certificate. If that does not resolve the problem, remove the Intune license from the user account being used to renew the certificate, then reassign the license and try again.


After uploading a new APNs certificate, enrolled devices stop syncing and new devices cannot be enrolled.

This can occur if a new certificate was used instead of renewing the existing certificate. To resolve the problem, renew the certificate originally used and configure that in Intune instead. Note that if you have lost the credentials for the account used to obtain the original certificate, you may be able to contact Apple and provide them the GUID of certificate, and have them assist you in renewing the cert.

Let us know if you have any other questions, we’re happy to continue building out the FAQ!

New Contributor

When I check Apple MDM Push certificate , the status showed Expired, and I am not sure that Apple ID who is, so when I see Configure MDM Push Certificate below , there are Create an Apple MDM Push certificate, and in that environment there is no any ios devices to enroll, so if I create new Apple MDM Push Certificate, is it ok? And if I create it , how can I register it?  Please help me. 

Senior Member

I would also like to know as mentioned above by "Hongwoo Jin".


One of our customer don't have credentials of account which was used for Apple MDM Push Certificate & now certificate is going to expire in 7 days. If I create new apple ID & add that ID to generate certificate then what will be the impact of the same for devices which are already enrolled.

New Contributor

Is there any way to notification mail from MEM (Intune) ?

I know there is some way to combinate several service, but since silverlight portal, Intune has function of send email to IT admin about expiration notice.

But currently nothing about this.

If I missed already current Intune has this function, please tell me.




@Takema_Murata Apple will send 3 emails. In terms of service change notices, and in many regions incident notices, you can sign up in the M365 admin center to get emails or email digests weekly (for message center posts). All of the service messages you see in Microsoft Endpoint Manager (plan for change, incident posts, etc) all originate in M365. Hope this helps!

Version history
Last update:
‎Oct 09 2019 10:15 AM
Updated by: