Intune and the APNs certificate: FAQ and common issues
Published Oct 30 2018 11:34 AM 145K Views
Microsoft

First published on TechNet on Jun 11, 2018

Updated: 8/20/21 - Post refresh.

By J.C. Hornbeck - Sr Support Escalation Engineer | Microsoft Endpoint Manager – Intune

 

Here in the Intune support organization, we often get questions relating to the Apple MDM push certificate – also known as the Apple Push Notification service (APNs) certificate - and how it plays a role in managing iOS devices. You can find general instructions in Get an Apple MDM Push certificate for Intune, but we want to address other questions and issues that you might have. We reviewed support cases with a few of our Intune support engineers, and collected common questions about APNs certificates and Intune that should help both new and experienced Intune administrators.  

 

Why do I need to configure an APNs certificate in Intune?

Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, devices could not be enrolled or managed by Intune.

 

How long is the APNs certificate valid?

By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.

 

What happens if I don’t renew my APNs certificate before it expires?

If your APNs certificate expires, enrollment of new iOS devices will fail, and you will experience problems managing existing iOS devices until a new APNs certificate is obtained.

 

 

IMPORTANT If you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to unenroll and re-enroll all existing, Intune-managed iOS devices. Steps to unenroll (remove) an iOS device can be found here.

 

 

Do I need to renew my APNs certificate, or can I just get a new one?

It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices. Steps to unenroll (remove) an iOS device can be found here.

 

How do I know if my APNs certificate is about to expire?
Apple should send an email notification to the Apple ID that requested the certificate at 30 days, 10 days, and 1 day prior to the expiration date. You can also see certificate expiration dates in the Microsoft Endpoint Manager admin center. Go to Device Enrollment Apple Enrollment Apple MDM Push certificate, and under Expiration you will see the date and time.

 

 

How do I renew my APNs certificate?

For instructions, see Get an Apple MDM push certificate.

 

If I have multiple APNS certificates, how can I tell which certificate I need to renew in the Apple Push Certificates Portal?
On an enrolled iOS device, go to Settings General Device Management Management Profile More Details Management Profile. Under Topic you will see a unique GUID that you can match up to the correct certificate in the Apple Push Certificates Portal. Here is an example from a test device:

 

 

How can I change the Apple ID used for my existing APNs certificate?

Once a certificate has been requested using an Apple ID, you cannot use a different Apple ID to renew that same cert. However, Apple may be able to associate a new Apple ID with your existing certificate, which can then be used to renew it. Contact Apple support for more information.

 

Here are a couple common problems and solutions we have seen:

 

Problem
When attempting to upload the request file as part of certificate renewal, nothing happens when clicking the Upload button.

 

Solution
First try using another browser when renewing the certificate. If that does not resolve the problem, remove the Intune license from the user account being used to renew the certificate, then reassign the license and try again.

 

-----

 

Problem
After uploading a new APNs certificate, enrolled devices stop syncing and new devices cannot be enrolled.

 

Solution
This can occur if a new certificate was used instead of renewing the existing certificate. To resolve the problem, renew the certificate originally used and configure that in Intune instead. Note that if you have lost the credentials for the account used to obtain the original certificate, you may be able to contact Apple for assistance, and give them the certificate GUID of certificate.

 

Let us know if you have any other questions by replying to this post or reach out to @IntuneSuppTeam on Twitter - we’re happy to continue building out the FAQ!

 

Post Updates:

01/20/23: Updated Apple's support URLs based on customer feedback. Thanks for the feedback!

25 Comments
Copper Contributor

When I check Apple MDM Push certificate , the status showed Expired, and I am not sure that Apple ID who is, so when I see Configure MDM Push Certificate below , there are Create an Apple MDM Push certificate, and in that environment there is no any ios devices to enroll, so if I create new Apple MDM Push Certificate, is it ok? And if I create it , how can I register it?  Please help me. 

Copper Contributor

I would also like to know as mentioned above by "Hongwoo Jin".

 

One of our customer don't have credentials of account which was used for Apple MDM Push Certificate & now certificate is going to expire in 7 days. If I create new apple ID & add that ID to generate certificate then what will be the impact of the same for devices which are already enrolled.

Copper Contributor

Is there any way to notification mail from MEM (Intune) ?

I know there is some way to combinate several service, but since silverlight portal, Intune has function of send email to IT admin about expiration notice.

But currently nothing about this.

If I missed already current Intune has this function, please tell me.

 

 

 

@Takema_Murata Apple will send 3 emails. In terms of service change notices, and in many regions incident notices, you can sign up in the M365 admin center to get emails or email digests weekly (for message center posts). All of the service messages you see in Microsoft Endpoint Manager (plan for change, incident posts, etc) all originate in M365. Hope this helps!

Copper Contributor

Hi,

 

I have query suppose if I create custom roles in Endpoint Manager (Intune). Assign this custom role to Admin account and removed "Intune Administrator" Azure Role with same admin account. Will I able to renew APNS certificate ?

I am aware that I can renew APNS certificate with "Intune Administrator" Azure Role. But just want to understand if there anything permission required from custom role in Endpoint Manager (Intune) ?

 

While create custom role in Intune on Permissions page I can see "Managed Google Play" and "Microsoft Store for Business" with Modify and Read permission. Just thought if any similar permissions settings exists for APNS ? Or any other page I need to check this ?

 

I seen most of the MS docs  but not feasible solution. I need to understand this scenario how it get sorted out ?

Copper Contributor

@Intune_Support_Team  @J.C. Hornbeck 

 

Hi,

 

I have query suppose if I create custom roles in Endpoint Manager (Intune). Assign this custom role to Admin account and removed "Intune Administrator" Azure Role with same admin account. Will I able to renew APNS certificate ?

I am aware that I can renew APNS certificate with "Intune Administrator" Azure Role. But just want to understand if there anything permission required from custom role in Endpoint Manager (Intune) ?

 

While create custom role in Intune on Permissions page I can see "Managed Google Play" and "Microsoft Store for Business" with Modify and Read permission. Just thought if any similar permissions settings exists for APNS ? Or any other page I need to check this ?

 

I seen most of the MS docs  but not feasible solution. I need to understand this scenario how it get sorted out ?

Copper Contributor

Will it any impact to an ios devices which are already enrolled through MAM-WE enrollment? 

Copper Contributor

If the certificate expires and you replace the certificate, as is necessary, what is the effect on currently enrolled devices. Will the managed apps and configurations automatically remove after a certain amount of time? or will there be no change at all until re-enrolled?

 

Basically, I understand from an IT management perspective, we will have no visibility and configurability on these devices. But is it worth disrupting the user's time to force them to re-enroll if they are BYOD? For company issued devices, I perceive this as being critical, but personal devices could be pushed off. 

Hi @Yogesh-Shede, please see our documentation on creating a custom role in Intune to learn more about custom roles in Intune.

 

@Birendrakumar, an Apple MDM Push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune and enables devices to enroll via the Intune Company Portal app or Apple bulk enrollment methods, such as the Device Enrollment Program, Apple School Manager, and Apple Configurator. If you are not currently managing devices via MDM, then no further action is required. To learn more about obtaining an Apple MDM push certificate with Intune, please see: Get an Apple MDM Push certificate for Intune to learn more.

 

@mattb_known, it is recommended that the certificate is to be renewed before it expires to avoid any chance of interruptions. Note that the associated Apple ID will receive an email notification from Apple's Push Notification Service with a reminder that the certificate will expire soon. You could also setup custom alerts to renew ahead of time to maintain the connection between your Intune tenant and Apple account prior to its expiration. Keep in mind that the MDM push certificate will be associated with the Apple ID you previously used to create it; renew the certificate with this same Apple ID. If the Apple MDM certificate is deleted, you will need to reset and re-enroll devices with a new certificate.

 

To learn more about Apple MDM push certificates (including VPP tokens or Apple Business Manager location tokens, please see our docs below):

Get an Apple MDM Push certificate for Intune

Manage Apple volume-purchased apps

Copper Contributor

@Intune_Support_Team I understand the recommendation and agree with the recommendation, however this does not answer my question. What is the effect of not re-enrolling a device after the certificate has been renewed with a new certificate? Do the apps and configurations of this device become un-configured after a period of time? Or does nothing change? I've reviewed all documentation and no mention is made. Every time I've seen this question asked in other forums this answer is stated. I want a better understanding of the sense of urgency we need to place on asking users to re-enroll their BYOD.

Brass Contributor

Ok, so I completed all the steps to renew the MDM Push certificate in the Apple portal, but when I go to upload the new .pem file in Intune, I get presented an error message saying "Topic ID does not match the existing certificate".  What does that mean? 

I think (not 100% sure), but I think the Apple ID was changed after we federated the IDs with our Azure AD so that users signed into devices using their Azure AD credentials, which forced our original Apple ID to change as well to something with .appleid.com at the end.  The certificate in the Intune portal still has the old Apple ID showing, but I sign into the Apple portal with a different one.  

Can I just delete the one in Intune portal and upload the new .pem file that I have?  Will that work without causing me to re-enroll all devices?

Copper Contributor

I believe that changing the Apple ID in Apple Business Manager and creating new certificates my have a bad effect on all your enrolled Apple devices.

There are two certificates sets, those for enrolling the Apple Devices and those for the Volume Purchase Programme (Apps and Books).

 

If you look at the original certificates in Intune you should be able to determine the original Apple ID from them, under the yellow line in the image below:

AppleID.png

And the VPP Token

 

VPP Token.png

If you have control of the email domain for the appleID it should be an easy enough job to have the email address directed to someone in the organisation in order to reset the password for the ID and give you access.

Brass Contributor

@Statler The Apple IDs are different for the VPP Token and push certificate.  However, we federated the domain and now the old Apple ID that was used to set up the MDM Push Cert can't be used anymore since it is only an email address and not an actual account in our AD so there is no password to use.  We now have an Apple managed ID for management on the ABM side and that is what was used for the VPP token after the setup was complete.  I wasn't the one that set this us, so now I'm tyring to understand how and then fix it.  I did call Apple support yesterday and they are helping me figure it out.  Hopefully they can do something so I don't have to re-enroll all the devices. 

Copper Contributor

@dhood82 

Ahh, that's a pickle.

When we federated our main domain, we had the opportunity to change the email address(es) associated with the AppleID(s) so that we could still access them. We were lucky enough to have control of all the affected AppleIDs.

You should also approach the Business Team in your local Apple Store, they can help put you in touch with some of their Geniuses who have insight into the MDM space.

I hope you get sorted, please update us if you can. There is little enough Apple / Intune information available.

Bronze Contributor

@J.C. Hornbeck The "Contact Apple Support" and "Contact Apple" links need to be updated to point to this page: Contact Apple for help with Apple Push Notification service certificates - Apple Support

Hi @Ryan Steele, URLs have been updated, thanks for the feedback!

Copper Contributor

Hello @Intune_Support_Team 

If I create a new certificate on my account but do not replace the existing one created with another apple ID on intune platform, will my new certificate create any issues or the existing certificate previously created will be used?

Hi @amycreatza, if a new Apple MDM certificate is created instead of renewing, your current certificate may become invalid, and devices leveraging the old certificate (including the enrollment and management of new iOS devices may fail).

 

Note that the associated Apple ID will receive an email notification from Apple's Push Notification Service with a reminder that the certificate will expire soon and is recommended that the certificate is to be renewed before it expires to avoid any chance of interruptions.

Brass Contributor

@Statler @Intune_Support_Team I was able to get Apple Support (with little to no headache) to change the Apple ID associated with my old expired MDM Push certificate to the new managed Apple ID and everything worked out great.  I clicked to renew the certificate once their part was done, downloaded my new cert and uploaded that to Intune with success.  

(PS, I think I may have just gotten lucky, lol)

Copper Contributor

@Intune_Support_Team  

The certificate was created from a different account that the one used for the initial certificate, and it was not replaced in intune. .From what I see in the tenant all config profiles and compliance policies work on MAC os devices, i don't have any errors there. In intune the old certificate is present.

Copper Contributor

We used to receive an email notification from Apple's Push Notification Service with a reminder that the certificate will expire soon, but the this has stopped in the last 2 years, for unknown reasons.

 

Does anyone have the sender email address of this notification so we can run Exchange Online message traces?

 

Perhaps it would be a good idea to have an email sent from Microsoft as well.

Copper Contributor

Hello,

 

We had an issue a few weeks ago with our certificate, we had to create a new one and as expected, all our devices were unrolled.

We now finally managed to renew the original certificate and we would like to update it in Intune.

However, when after selecting the .pem file and pressing the "Upload" button, we get the following error message : "Topic ID does not match the existing certificate".

Does anyone know how to solve this ?

 

I saw in this forum that it could be due to different Apple ID being used but that does not seem to be our case.

Can we press the "Delete" button in the "Configure MDM Push Certificate" page and start again ?

 

Thanks !

Copper Contributor

@dhood82 

When uploading the renewed certificate to intune (with your new associated Apple ID) Did you input the old Apple ID or the New Associated ID? Thanks!

 

ogo20_0-1706832444017.png

 

Hi @ogo-20, we can help here! Regarding the screenshot you've shared, you'll want to use the same Apple ID you used to create the MDM Push certificate (and upload) in the Microsoft Intune admin center.

Occasional Reader

I am unable to download the CSR.  I keep getting an error stating "Failed to dynamically fetch target download uri.  Error details: [object Object]"

 

I've tried different browsers (Safari, Chrome, Edge) on Mac and Windows.  All result in the same error.

 

 

Screenshot 2024-03-26 at 12.51.15 PM.png

Co-Authors
Version history
Last update:
‎Jan 30 2023 09:33 AM
Updated by: