Here in the Intune support organization, we often get questions relating to the Apple MDM push certificate – also known as the Apple Push Notification service (APNs) certificate - and how it plays a role in managing iOS devices. We have a lot of great documentation on this, for example our article here, but there are many other general questions and issues that don’t necessarily fall into any specific category. That’s where this post comes in. We’ve looked at the support cases we get and talked to a few of our Intune support engineers, and the result is a general Intune/APNs FAQ which we have below. Whether you’re new to Intune or a veteran, there should be something in here that will help just about everyone.
1. Why do I need to configure an APNs certificate in Intune?
a. Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, device could not be enrolled or managed by Intune.
2. How long is the APNs certificate valid?
a. By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.
3. What happens if I don’t renew my APNs certificate before it expires?
a. If your APNs certificate expires, enrollment of new iOS devices will fail, and you may experience problems managing existing iOS devices until the certificate is renewed.
4. Do I need to renew my APNs certificate or can I just get a new one?
a. It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to un-enroll and re-enroll all of your existing iOS devices. Steps to un-enroll an iOS device can be found here.
5. How do I know if my APNs certificate is about to expire?
a. Apple should send an email notification to the Apple ID that requested the certificate at 30 days, 10 days and 1 day prior to the expiration date. Details about the expiration date can also be viewed from the Intune Blade by going to Device Enrollment –> Apple Enrollment –> Apple MDM Push certificate and viewing the value for Expiration.
6. How do I renew my APNs certificate?
a. If you have a standalone Intune environment, instructions can be found here. If your Intune environment is integrated with Configuration Manager (hybrid), you can find instructions here. SCCM
7. If I have multiple APNS certificates, how can I tell which certificate I need to renew in the Apple Push Certificates Portal?
a. On an enrolled iOS device, go to Settings -> General -> Device Management -> Management Profile -> More Details -> Management Profile. Under Topic you will see a unique GUID that you can match up to the correct certificate in the Apple Push Certificates Portal. Here is an example from a test device:
8. How can I change the Apple ID used for my existing APNs certificate?
a. Once a certificate has been requested using an Apple ID, you cannot use a different Apple ID to renew that same cert. However, Apple may be able to associate a new Apple ID with your existing certificate, which can then be used to renew it. Contact Apple support for more information.
Here are a couple problems/solutions we also see many people run into:
When attempting to upload the request file as part of certificate renewal, nothing happens when clicking the Upload button.
First try using another browser when renewing the certificate. If that does not resolve the problem, remove the Intune license from the user account being used to renew the certificate, then reassign the license and try again.
After uploading a new APNs certificate, enrolled devices stop syncing and new devices cannot be enrolled.
This can occur if a new certificate was used instead of renewing the existing certificate. To resolve the problem, renew the certificate originally used and configure that in Intune instead. Note that if you have lost the credentials for the account used to obtain the original certificate, you may be able to contact Apple and provide them the GUID of certificate, and have them assist you in renewing the cert.
Let us know if you have any other questions, we’re happy to continue building out the FAQ!