The Apple Push Notification Service (APNs) certificate is critical to managing Apple devices with mobile device management (MDM). In order to leverage MDM, you need a push certificate. An APNs certificate creates trust between your MDM server, Apple, and your devices. In this article, we will cover different options for managing push certificates and go into some of the unique challenges that managed service providers (MSPs) face.
Table of Contents
- Apple ID Best Practices
- Creating Apple Push Certificates
- Renewing Apple Push Certificates
- Assigning Apple Push Certificates
- Recap and Additional Information
Apple ID Best Practices
While any Apple ID can be used to create a push certificate, IT teams need to be intentional in choosing what Apple ID to use. The push certificate will require renewal every year with the same Apple ID used to create it. Therefore, the Apple ID a team uses should not be tied to any one individual. Do not use your personal Apple ID, or anyone else’s, to create the organization’s push certificate. In the event that that person is no longer available when renewal comes around, you would need to create a new push certificate with a new Apple ID and re-enroll all of your devices. So what options do you have?
Recommended Solution
Addigy recommends that all organizations, regardless of size, enroll in Apple Business Manager, or Apple School Manager if you are in education. This guide will reference Apple Business Manager, but the same concepts apply to Apple School Manager.
Apple Business Manager offers organizations many benefits, such as automated device enrollment. With Apple Business Manager, organizations can also create managed Apple IDs. This allows organizations to reset sign-in information, password, and phone number from a single portal so that regardless of who is on the IT team at the time of certificate renewal, the organization can always have a way to log into the managed Apple ID. You can find a guide that details the process of creating a managed Apple ID specifically for use with APNs here.
Adequate Solution
While Apple Business Manager with a managed Apple ID is the best solution, it is not the only option available. Another option is to create an email distribution group, such as applemanagement@yourdomain.com. This distribution group, or an alias of it, can be used to create an Apple ID for use with APNs. This ensures that more than one person has access to the Apple ID not just for renewal, but also in the event that a password needs to be reset and to receive email notifications such as the renewal reminder.
Creating Apple Push Certificates
The below article will cover the steps required to create your Apple Push Certificate.
How to Create an Apple Push Certificate
Renewing Apple Push Certificates
Your Apple Push Notification certificate needs to be renewed every year. Prior to expiration, the email address associated with the Apple ID used to create the certificate will receive an email from Apple about the upcoming expiration. You will also receive a notification in Addigy on the Alerts menu. For a full guide on renewing a push certificate, please see this guide.
Note: Addigy will not send emails regarding expiration notifications.
Assigning Apple Push Certificates
When Assigning Apple Push Certificates, you have two options that are dependent on whether you manage multiple organizations or you only represent a single organization:
-
If you manage multiple organizations in your Addigy Environment - Addigy allows you to upload and manage multiple Apple Push Certificates to stay in compliance with Apple's MDM Terms of Service, which requires that all managed organizations have their own individual Apple Push Certificate. For example, if an MSP has 8 customers, they should have 8 unique push certificates.
It is also recommended that the push certificate be assigned to the parent policy of each customer. There is no need to assign the push certificate to each child policy a customer may have since push certificates are inherited.
Setting up Policy MDM Profiles for a Multi-Tenant Environment -
If you are managing only a single organization or are an internal IT shop, in your Addigy Environment, you to set up a Global MDM Enrollment Profile. This will enable a single Apple Push Certificate MDM profile to be used by all MDM-enrolled devices in your Addigy account.
Setting up the Global MDM Profile
Recap and Additional Information
- When deciding what Apple ID will be used for creating an APNs certificate, make sure to use one that more than one person has access to. If possible, create a Managed ID specifically for your push certificate.
- Managed service providers should have a unique push certificate for each customer in Addigy.
- Internal IT teams only need one push certificate and can use the Global Enrollment Profile.
- Each push certificate will need to be renewed every year with the same Apple ID used to create it.
- If you have an expired certificate, follow this guide for information on what steps can be taken depending on your situation.
FAQ: My Push Certificate Expired - Apple Push Certificates can be renamed by clicking the three dots next to the name > Info > Rename.