Apple Push Notification certificates
The Apple Push Notification (APN) certificate is essential for Mobile Device Management (MDM) services to communicate with Apple devices. This document provides a step-by-step guide on obtaining, renewing, and managing APN certificates to ensure uninterrupted service.
The Apple Push Notification Service (APNs) is used to notify Apple devices to check in with their assigned MDM Server. For your MDM Server to communicate with Apple device using the APNs, your MDM Server needs to be configured with an Apple push certificate and key. Obtaining an APNs certificate is only required if you plan to deploy the BigFix MCM Apple service or BigFix PlugIn.
Obtaining APN Certificate
Prerequisites:- Apple ID
(preferably a corporate Apple ID for better management). To obtain a push certificate from Apple, as a BigFix Administrator, you require an Apple ID, which must be associated with your enterprise. You can create an Apple ID on the Apple ID web portal. You must use a company email address for this Apple ID, and ideally, it should resolve to a distribution list that is monitored by more than one person. The Apple ID is needed at the step when you login to the Apple portal to create a push certificate for your MDM Server. The push certificate that you obtain is tied to that Apple ID.
-
Access to the Apple Push Certificates Portal: https://identity.apple.com/pushcert
-
A Certificate Signing Request (CSR) file from BigFix.
Steps
Generating an APNs certificate requires the following steps:
- Create a CSR request
- Have BigFix sign the CSR request (via email to BFAppleCSR@hcl.com)
- Have Apple countersign the CSR and generate the APNs certificate through the Apple portal
For the commands and details for executing the above steps, see Generating APNs certificate
The APNs certificate and keys can then be uploaded to the BigFix MDM server via the WebUI. See Install BigFix MDM Service for Apple.
Validity of APN Certificate
- Expiry Information
-
- APN certificates are valid for one year from the date of issuance.
- Renew before expiration to avoid disruption in MDM communication.
- How to Know About the Expiry
-
- WebUI Dashboard Notification: WebUI Dashboard provides an alert when the certificate nears expiration.
- Email Alerts from Apple: Apple sends email reminders to the Apple ID used for registration.
- Check Manually:
-
Log in to Apple Push Certificates Portal and verify the expiration date.
-
Renewing APN Certificate
You must renew your APNs certificate within the validity period before expiration. For detailed instructions, refer toRenew APNs certificate and update Apple MDM service
Updating Renewed APN Certificate
Use Fixlet 409 Update Apple Push Certificate to update the Apple
Push certificate on the BigFix Apple MDM service in the following scenarios. For
detailed instructions, refer to Update Apple push certificate.
Best Practices for Managing Apple Push Certificates
- Use a corporate Apple ID to prevent access issues.
- Limit Apple ID access to authorized personnel only.
- Set reminders to renew at least a month before expiration.
- Make sure you save the original CSR, key, and password.
- Back up the currently working APN certificate before updating or renewing it.
- Monitor the warnings on the BigFix WebUI dashboard.
Issues due to invalid APN certificate
The following are some issues you might encounter if the APN certificate becomes invalid due to expiration, incorrect renewal, or other issues:
- New device enrollment might not show up in BigFix WebUI and Console.
- Devices might stop receiving commands from the MDM server.
- Policies, configurations, and app deployments might be disrupted.
- The MDM server might lose communication with Apple devices.
- Security updates and restrictions might not be applied.
- Remote actions, such as locking or wiping lost or stolen devices, might become unavailable.
- If you have used a different CSR than the original one for renewal, you might have to manually re-enroll all devices.
Troubleshooting
If you experience issues with the APN certificate:
- Check the expiry date of the APN in the Device doc from WebUI Verify Certificate.
- Ensure the renewed certificate is correctly uploaded.
- Check network firewall to ensure APN traffic is not blocked.
- Re-enroll Devices (If Necessary): If the certificate is replaced instead of renewed, devices may need re-enrollment.
Frequently Asked Questions
- What happens if I let the APN certificate expire?
-
A: MDM will lose communication with Apple devices, and re-enrollment may be required.
- Can I renew my APN certificate with a different Apple ID?
-
A: No. If you use a different Apple ID, you will not be able to renew the original APN certificate, and you will not be able to renew the original APN certificate, and devices will need to be re-enrolled.
- How often do I need to renew the certificate?
-
A: Once every 12 months.
- Will my devices remain responsive if I renew my certificate on time?
-
A: Yes, as long as you use the same Apple ID and renew before expiry, devices will stay responsive.
- How do I verify that my renewed certificate is working?
-
A: Refresh the device and check the last updated time in the MDM representation to ensure it receives commands promptly.