Intune and the APNs certificate: FAQ and common issues

Published Oct 30 2018 11:34 AM 44K Views
Microsoft

First published on TechNet on Jun 11, 2018

Updated: 8/20/21 - Post refresh.

By J.C. Hornbeck - Sr Support Escalation Engineer | Microsoft Endpoint Manager – Intune

 

Here in the Intune support organization, we often get questions relating to the Apple MDM push certificate – also known as the Apple Push Notification service (APNs) certificate - and how it plays a role in managing iOS devices. You can find general instructions in Get an Apple MDM Push certificate for Intune, but we want to address other questions and issues that you might have. We reviewed support cases with a few of our Intune support engineers, and collected common questions about APNs certificates and Intune that should help both new and experienced Intune administrators.  

 

Why do I need to configure an APNs certificate in Intune?

Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, devices could not be enrolled or managed by Intune.

 

How long is the APNs certificate valid?

By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.

 

What happens if I don’t renew my APNs certificate before it expires?

If your APNs certificate expires, enrollment of new iOS devices will fail and you will experience problems managing existing iOS devices until a new APNs certificate is obtained.

 

 

IMPORTANT If you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to unenroll and re-enroll all existing, Intune-managed iOS devices. Steps to unenroll (remove) an iOS device can be found here.

 

Do I need to renew my APNs certificate or can I just get a new one?

It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices. Steps to unenroll (remove) an iOS device can be found here.

 

How do I know if my APNs certificate is about to expire?
Apple should send an email notification to the Apple ID that requested the certificate at 30 days, 10 days, and 1 day prior to the expiration date. You can also see certificate expiration dates in the Microsoft Endpoint Manager admin center. Go to Device Enrollment Apple Enrollment Apple MDM Push certificate, and under Expiration you will see the date and time.

 

 

How do I renew my APNs certificate?

For instructions, see Get an Apple MDM push certificate.

 

If I have multiple APNS certificates, how can I tell which certificate I need to renew in the Apple Push Certificates Portal?
On an enrolled iOS device, go to Settings General Device Management Management Profile More Details Management Profile. Under Topic you will see a unique GUID that you can match up to the correct certificate in the Apple Push Certificates Portal . Here is an example from a test device:

 

 

How can I change the Apple ID used for my existing APNs certificate?

Once a certificate has been requested using an Apple ID, you cannot use a different Apple ID to renew that same cert. However, Apple may be able to associate a new Apple ID with your existing certificate, which can then be used to renew it. Contact Apple support for more information.

 

Here are a couple common problems and solutions we have seen:

 

Problem
When attempting to upload the request file as part of certificate renewal, nothing happens when clicking the Upload button.

 

Solution
First try using another browser when renewing the certificate. If that does not resolve the problem, remove the Intune license from the user account being used to renew the certificate, then reassign the license and try again.

 

-----

 

Problem
After uploading a new APNs certificate, enrolled devices stop syncing and new devices cannot be enrolled.

 

Solution
This can occur if a new certificate was used instead of renewing the existing certificate. To resolve the problem, renew the certificate originally used and configure that in Intune instead. Note that if you have lost the credentials for the account used to obtain the original certificate, you may be able to contact Apple for assistance, and give them the certificate GUID of certificate.

 

Let us know if you have any other questions by replying to this post or reach out to @IntuneSuppTeam on Twitter - we’re happy to continue building out the FAQ!

6 Comments
New Contributor

When I check Apple MDM Push certificate , the status showed Expired, and I am not sure that Apple ID who is, so when I see Configure MDM Push Certificate below , there are Create an Apple MDM Push certificate, and in that environment there is no any ios devices to enroll, so if I create new Apple MDM Push Certificate, is it ok? And if I create it , how can I register it?  Please help me. 

Senior Member

I would also like to know as mentioned above by "Hongwoo Jin".

 

One of our customer don't have credentials of account which was used for Apple MDM Push Certificate & now certificate is going to expire in 7 days. If I create new apple ID & add that ID to generate certificate then what will be the impact of the same for devices which are already enrolled.

New Contributor

Is there any way to notification mail from MEM (Intune) ?

I know there is some way to combinate several service, but since silverlight portal, Intune has function of send email to IT admin about expiration notice.

But currently nothing about this.

If I missed already current Intune has this function, please tell me.

 

 

 

@Takema_Murata Apple will send 3 emails. In terms of service change notices, and in many regions incident notices, you can sign up in the M365 admin center to get emails or email digests weekly (for message center posts). All of the service messages you see in Microsoft Endpoint Manager (plan for change, incident posts, etc) all originate in M365. Hope this helps!

Visitor

Hi,

 

I have query suppose if I create custom roles in Endpoint Manager (Intune). Assign this custom role to Admin account and removed "Intune Administrator" Azure Role with same admin account. Will I able to renew APNS certificate ?

I am aware that I can renew APNS certificate with "Intune Administrator" Azure Role. But just want to understand if there anything permission required from custom role in Endpoint Manager (Intune) ?

 

While create custom role in Intune on Permissions page I can see "Managed Google Play" and "Microsoft Store for Business" with Modify and Read permission. Just thought if any similar permissions settings exists for APNS ? Or any other page I need to check this ?

 

I seen most of the MS docs  but not feasible solution. I need to understand this scenario how it get sorted out ?

Visitor

@Intune Support Team  @J.C. Hornbeck 

 

Hi,

 

I have query suppose if I create custom roles in Endpoint Manager (Intune). Assign this custom role to Admin account and removed "Intune Administrator" Azure Role with same admin account. Will I able to renew APNS certificate ?

I am aware that I can renew APNS certificate with "Intune Administrator" Azure Role. But just want to understand if there anything permission required from custom role in Endpoint Manager (Intune) ?

 

While create custom role in Intune on Permissions page I can see "Managed Google Play" and "Microsoft Store for Business" with Modify and Read permission. Just thought if any similar permissions settings exists for APNS ? Or any other page I need to check this ?

 

I seen most of the MS docs  but not feasible solution. I need to understand this scenario how it get sorted out ?

%3CLINGO-SUB%20id%3D%22lingo-sub-280121%22%20slang%3D%22en-US%22%3EIntune%20and%20the%20APNs%20certificate%3A%20FAQ%20and%20common%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280121%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TechNet%20on%20Jun%2011%2C%202018%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EHello%20everyone%2C%20%3CBR%20%2F%3E%20Here%20in%20the%20Intune%20support%20organization%2C%20we%20often%20get%20questions%20relating%20to%20the%20Apple%20MDM%20push%20certificate%20%E2%80%93%20also%20known%20as%20the%20Apple%20Push%20Notification%20service%20(APNs)%20certificate%20-%20and%20how%20it%20plays%20a%20role%20in%20managing%20iOS%20devices.%20We%20have%20a%20lot%20of%20great%20documentation%20on%20this%2C%20for%20example%20our%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapple-mdm-push-certificate-get%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20%2C%20but%20there%20are%20many%20other%20general%20questions%20and%20issues%20that%20don%E2%80%99t%20necessarily%20fall%20into%20any%20specific%20category.%20That%E2%80%99s%20where%20this%20post%20comes%20in.%20We%E2%80%99ve%20looked%20at%20the%20support%20cases%20we%20get%20and%20talked%20to%20a%20few%20of%20our%20Intune%20support%20engineers%2C%20and%20the%20result%20is%20a%20general%20Intune%2FAPNs%20FAQ%20which%20we%20have%20below.%20Whether%20you%E2%80%99re%20new%20to%20Intune%20or%20a%20veteran%2C%20there%20should%20be%20something%20in%20here%20that%20will%20help%20just%20about%20everyone.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%201.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EWhy%20do%20I%20need%20to%20configure%20an%20APNs%20certificate%20in%20Intune%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20Intune%20uses%20the%20Apple%20Push%20Notification%20service%20to%20communicate%20securely%20to%20your%20enrolled%20iOS%20devices%2C%20and%20Apple%20requires%20that%20each%20MDM%20service%20utilize%20their%20own%20certificate%20to%20establish%20a%20secure%20mechanism%20for%20devices%20to%20use%20when%20communicating%20on%20Apple%E2%80%99s%20push%20notification%20messaging%20network.%20Without%20the%20APNs%20certificate%2C%20device%20could%20not%20be%20enrolled%20or%20managed%20by%20Intune.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%202.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EHow%20long%20is%20the%20APNs%20certificate%20valid%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20By%20default%2C%20the%20APNs%20certificate%20is%20good%20for%20one%20year.%20This%20lifespan%20is%20determined%20by%20Apple.%20You%20must%20be%20sure%20to%20renew%20your%20APNs%20certificate%20before%20it%20expires.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%203.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EWhat%20happens%20if%20I%20don%E2%80%99t%20renew%20my%20APNs%20certificate%20before%20it%20expires%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20If%20your%20APNs%20certificate%20expires%2C%20enrollment%20of%20new%20iOS%20devices%20will%20fail%2C%20and%20you%20may%20experience%20problems%20managing%20existing%20iOS%20devices%20until%20the%20certificate%20is%20renewed.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%204.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EDo%20I%20need%20to%20renew%20my%20APNs%20certificate%20or%20can%20I%20just%20get%20a%20new%20one%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20It%20is%20critical%20that%20you%20renew%20your%20APNs%20certificate%2C%20not%20request%20a%20new%20one.%20This%20means%20you%20must%20ensure%20that%20you%20use%20the%20same%20Apple%20ID%20and%20renew%20the%20same%20certificate%20from%20Apple%E2%80%99s%20site.%20If%20you%20request%20a%20new%20certificate%20instead%20of%20renewing%20your%20existing%20certificate%2C%20you%20will%20be%20forced%20to%20un-enroll%20and%20re-enroll%20all%20of%20your%20existing%20iOS%20devices.%20Steps%20to%20un-enroll%20an%20iOS%20device%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune-user-help%2Funenroll-your-device-from-intune-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%205.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EHow%20do%20I%20know%20if%20my%20APNs%20certificate%20is%20about%20to%20expire%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20Apple%20should%20send%20an%20email%20notification%20to%20the%20Apple%20ID%20that%20requested%20the%20certificate%20at%2030%20days%2C%2010%20days%20and%201%20day%20prior%20to%20the%20expiration%20date.%20Details%20about%20the%20expiration%20date%20can%20also%20be%20viewed%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%3FMicrosoft_Intune%3D1%26amp%3BMicrosoft_Intune_DeviceSettings%3Dtrue%26amp%3BMicrosoft_Intune_Enrollment%3Dtrue%26amp%3BMicrosoft_Intune_Apps%3Dtrue%26amp%3BMicrosoft_Intune_Devices%3Dtrue%23blade%2FMicrosoft_Intune_DeviceSettings%2FExtensionLandingBlade%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20Intune%20Blade%20%3C%2FA%3E%20by%20going%20to%20%3CSTRONG%3E%20Device%20Enrollment%20%3C%2FSTRONG%3E%20%E2%80%93%26gt%3B%20%3CSTRONG%3E%20Apple%20Enrollment%20%3C%2FSTRONG%3E%20%E2%80%93%26gt%3B%20%3CSTRONG%3E%20Apple%20MDM%20Push%20certificate%20%3C%2FSTRONG%3E%20and%20viewing%20the%20value%20for%20%3CSTRONG%3E%20Expiration%20%3C%2FSTRONG%3E%20.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20480px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58683iEED73C944B8B9945%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%206.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EHow%20do%20I%20renew%20my%20APNs%20certificate%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20If%20you%20have%20a%20standalone%20Intune%20environment%2C%20instructions%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapple-mdm-push-certificate-get%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20.%20If%20your%20Intune%20environment%20is%20integrated%20with%20Configuration%20Manager%20(hybrid)%2C%20you%20can%20find%20instructions%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fmdm%2Fdeploy-use%2Fenroll-hybrid-ios-mac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20.%20SCCM%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%207.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EIf%20I%20have%20multiple%20APNS%20certificates%2C%20how%20can%20I%20tell%20which%20certificate%20I%20need%20to%20renew%20in%20the%20%3C%2FSTRONG%3E%20%3CA%20href%3D%22https%3A%2F%2Fidentity.apple.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20%3CSTRONG%3E%20Apple%20Push%20Certificates%20Portal%20%3C%2FSTRONG%3E%20%3C%2FA%3E%20%3CSTRONG%3E%20%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20On%20an%20enrolled%20iOS%20device%2C%20go%20to%20%3CSTRONG%3E%20Settings%20%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3E%20General%20%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3E%20Device%20Management%20%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3E%20Management%20Profile%20%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3E%20More%20Details%20%3C%2FSTRONG%3E%20-%26gt%3B%20%3CSTRONG%3E%20Management%20Profile%20%3C%2FSTRONG%3E%20.%20Under%20%3CSTRONG%3E%20Topic%20%3C%2FSTRONG%3E%20you%20will%20see%20a%20unique%20GUID%20that%20you%20can%20match%20up%20to%20the%20correct%20certificate%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fidentity.apple.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20Apple%20Push%20Certificates%20Portal%20%3C%2FA%3E%20.%20Here%20is%20an%20example%20from%20a%20test%20device%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20193px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58684iC966B950839CCC8E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%208.%20%3C%2FSTRONG%3E%20%3CSTRONG%3EHow%20can%20I%20change%20the%20Apple%20ID%20used%20for%20my%20existing%20APNs%20certificate%3F%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20a.%20Once%20a%20certificate%20has%20been%20requested%20using%20an%20Apple%20ID%2C%20you%20cannot%20use%20a%20different%20Apple%20ID%20to%20renew%20that%20same%20cert.%20However%2C%20Apple%20may%20be%20able%20to%20associate%20a%20new%20Apple%20ID%20with%20your%20existing%20certificate%2C%20which%20can%20then%20be%20used%20to%20renew%20it.%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.apple.com%2Fcontact%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EContact%20Apple%20support%20%3C%2FA%3E%20for%20more%20information.%3C%2FP%3E%0A%3CP%3EHere%20are%20a%20couple%20problems%2Fsolutions%20we%20also%20see%20many%20people%20run%20into%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblem%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20When%20attempting%20to%20upload%20the%20request%20file%20as%20part%20of%20certificate%20renewal%2C%20nothing%20happens%20when%20clicking%20the%20Upload%20button.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20First%20try%20using%20another%20browser%20when%20renewing%20the%20certificate.%20If%20that%20does%20not%20resolve%20the%20problem%2C%20remove%20the%20Intune%20license%20from%20the%20user%20account%20being%20used%20to%20renew%20the%20certificate%2C%20then%20reassign%20the%20license%20and%20try%20again.%3C%2FP%3E%0A%3CP%3E-----%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblem%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20After%20uploading%20a%20new%20APNs%20certificate%2C%20enrolled%20devices%20stop%20syncing%20and%20new%20devices%20cannot%20be%20enrolled.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20This%20can%20occur%20if%20a%20new%20certificate%20was%20used%20instead%20of%20renewing%20the%20existing%20certificate.%20To%20resolve%20the%20problem%2C%20renew%20the%20certificate%20originally%20used%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapple-mdm-push-certificate-get%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20configure%20that%20in%20Intune%20%3C%2FA%3E%20instead.%20Note%20that%20if%20you%20have%20lost%20the%20credentials%20for%20the%20account%20used%20to%20obtain%20the%20original%20certificate%2C%20you%20may%20be%20able%20to%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.apple.com%2Fcontact%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20contact%20Apple%20%3C%2FA%3E%20and%20provide%20them%20the%20GUID%20of%20certificate%2C%20and%20have%20them%20assist%20you%20in%20renewing%20the%20cert.%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20other%20questions%2C%20we%E2%80%99re%20happy%20to%20continue%20building%20out%20the%20FAQ!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-280121%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Jun%2011%2C%202018%20Hello%20everyone%2CHere%20in%20the%20Intune%20support%20organization%2C%20we%20often%20get%20questions%20relating%20to%20the%20Apple%20MDM%20push%20certificate%20%E2%80%93%20also%20known%20as%20the%20Apple%20Push%20Notification%20service%20(APNs)%20certificate%20-%20and%20how%20it%20plays%20a%20role%20in%20managing%20iOS%20devices.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390690%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20and%20the%20APNs%20certificate%3A%20FAQ%20and%20common%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390690%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20check%20Apple%20MDM%20Push%20certificate%20%2C%20the%20status%20showed%20Expired%2C%20and%20I%20am%20not%20sure%20that%20Apple%20ID%20who%20is%2C%20so%20when%20I%20see%20Configure%20MDM%20Push%20Certificate%20below%20%2C%20there%20are%20Create%20an%20Apple%20MDM%20Push%20certificate%2C%20and%20in%20that%20environment%20there%20is%20no%20any%20ios%20devices%20to%20enroll%2C%20so%20if%20I%20create%20new%20Apple%20MDM%20Push%20Certificate%2C%20is%20it%20ok%3F%20And%20if%20I%20create%20it%20%2C%20how%20can%20I%20register%20it%3F%26nbsp%3B%20Please%20help%20me.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 20 2021 04:34 PM
Updated by: