By J.C. Hornbeck - Sr Support Escalation Engineer | Microsoft Endpoint Manager – Intune
Here in the Intune support organization, we often get questions relating to the Apple MDM push certificate – also known as the Apple Push Notification service (APNs) certificate - and how it plays a role in managing iOS devices. You can find general instructions in Get an Apple MDM Push certificate for Intune, but we want to address other questions and issues that you might have. We reviewed support cases with a few of our Intune support engineers, and collected common questions about APNs certificates and Intune that should help both new and experienced Intune administrators.
Why do I need to configure an APNs certificate in Intune?
Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, devices could not be enrolled or managed by Intune.
How long is the APNs certificate valid?
By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.
What happens if I don’t renew my APNs certificate before it expires?
If your APNs certificate expires, enrollment of new iOS devices will fail, and you will experience problems managing existing iOS devices until a new APNs certificate is obtained.
IMPORTANT If you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to unenroll and re-enroll all existing, Intune-managed iOS devices. Steps to unenroll (remove) an iOS device can be found here.
Do I need to renew my APNs certificate, or can I just get a new one?
It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices. Steps to unenroll (remove) an iOS device can be found here.
How do I know if my APNs certificate is about to expire? Apple should send an email notification to the Apple ID that requested the certificate at 30 days, 10 days, and 1 day prior to the expiration date. You can also see certificate expiration dates in the Microsoft Endpoint Manager admin center. Go to Device Enrollment > Apple Enrollment > Apple MDM Push certificate, and under Expiration you will see the date and time.
If I have multiple APNS certificates, how can I tell which certificate I need to renew in the Apple Push Certificates Portal? On an enrolled iOS device, go to Settings > General > Device Management > Management Profile > More Details > Management Profile. Under Topic you will see a unique GUID that you can match up to the correct certificate in the Apple Push Certificates Portal. Here is an example from a test device:
How can I change the Apple ID used for my existing APNs certificate?
Once a certificate has been requested using an Apple ID, you cannot use a different Apple ID to renew that same cert. However, Apple may be able to associate a new Apple ID with your existing certificate, which can then be used to renew it. Contact Apple support for more information.
Here are a couple common problems and solutions we have seen:
Problem When attempting to upload the request file as part of certificate renewal, nothing happens when clicking the Upload button.
Solution First try using another browser when renewing the certificate. If that does not resolve the problem, remove the Intune license from the user account being used to renew the certificate, then reassign the license and try again.
Problem After uploading a new APNs certificate, enrolled devices stop syncing and new devices cannot be enrolled.
Solution This can occur if a new certificate was used instead of renewing the existing certificate. To resolve the problem, renew the certificate originally used and configure that in Intune instead. Note that if you have lost the credentials for the account used to obtain the original certificate, you may be able to contact Apple for assistance, and give them the certificate GUID of certificate.
Let us know if you have any other questions by replying to this post or reach out to @IntuneSuppTeam on Twitter - we’re happy to continue building out the FAQ!
01/20/23: Updated Apple's support URLs based on customer feedback. Thanks for the feedback!