cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Endpoint integration with ABM - All devices now non compliant

km1990199
Copper Contributor

‎Aug 02 2023 05:16 AM

‎Aug 02 2023 05:16 AM

Endpoint integration with ABM - All devices now non compliant

In June we updated an expired certificate and now it's not allowing devices to connect to Endpoint Manager or receive any form of commands or application updates. Majority of devices are now showing as non-compliant. 

km1990199_1-1690977735667.png

 

 

1 - Apple Business Manager and Endpoint Manager sync is correct and token is the latest but I assume this only affects enrolment. 

km1990199_0-1690977672604.png

2) Devices can be enrolled but wanted to show this step was covered. 

3) Apple VPP Token properties is showing as below. It shows the correct Apple ID also at this point. 

km1990199_2-1690977800370.png

4) MDM Push Certificate has been updated also, but I don't know if this would affect the devices connecting to InTune and reporting to Endpoint manager. 

km1990199_4-1690977945664.png

 

I'm really confused because all of the signs inside of Endpoint Manager look correct, I've followed full re-installation guides step by step and I feel like I'm missing something? 

 

Anyone experience this before? 

 

Regards,

Kurtis

 

744 Views
0 Likes
6 Replies
Reply
6 Replies
Mathg76

‎Aug 02 2023 05:41 AM

‎Aug 02 2023 05:41 AM

Re: Endpoint integration with ABM - All devices now non compliant

@km1990199 

 

Never see this before, first i would see what are not compliant, you should be able to see it and click on device who is not compliant or in grace period on each device you should see like this

Mathg76_0-1690980051964.png

If nothing there you should raise a ticket at Microsoft.

0 Likes
Reply
km1990199

‎Aug 09 2023 12:36 AM

‎Aug 09 2023 12:36 AM

Re: Endpoint integration with ABM - All devices now non compliant

@Mathg76 Thanks for the reply, I think we know what's causing it. The cert was generated as new from Apple Business Manager/Apple Cert manager instead of renewing the old cert. 

 

Problem is getting back into the correct cert manager. Struggling with that currently. 

0 Likes
Reply
Mathg76

‎Aug 09 2023 05:28 AM

‎Aug 09 2023 05:28 AM

Re: Endpoint integration with ABM - All devices now non compliant

Hi.
Well those certs drive me nuts sometimes but its a safe way to see if device is ok in the system.
Thanks for the news! i appreciate it!
0 Likes
Reply
Martin Front

‎Aug 10 2023 01:22 AM

‎Aug 10 2023 01:22 AM

Re: Endpoint integration with ABM - All devices now non compliant

If the certificates have been expired and you generate a new cert you need to re-enroll the devices to be able to manage those again.

In some cases Apple can re-activate the old certificate based on how many devices that are affected and when in time it expired.

Good luck, been there and needed to re-enroll all devices.
0 Likes
Reply
km1990199

‎Aug 10 2023 01:52 AM

‎Aug 10 2023 01:52 AM

Re: Endpoint integration with ABM - All devices now non compliant

@Martin Front Yeah that looks the way, unfortunately the original configurators decided to use a personal phone for 2FA into the cert system. So now Apple won't allow us back into that system to renew the cert and re-upload it. 

0 Likes
Reply
Martin Front

‎Aug 10 2023 02:04 AM

‎Aug 10 2023 02:04 AM

Re: Endpoint integration with ABM - All devices now non compliant

I assume we´re talking about the APN-certificate here (what you refer to as MDM Push certificate). That´s the most crucial certificate to manage.

If you don´t get any help from Apple you need to re-enroll all devices, you have two options there:
1. Do a full reset of the device and go through the automated enrollment again to have it in supervised mode.

2. Re-enroll the devices manually with company portal, it will not be supervised but at least you can manage the devices in some way and the users don´t need to reset their devices.

And over time you can reset the devices when it comes in for change or whatever. But you do lose the supervised features.
1 Like
Reply