Apple Push Certificates expire annually and must be renewed before expiration to maintain MDM connectivity. If a push certificate expires, devices on that certificate will lose their MDM connection. Your first course of action should always be to attempt a renewal — even expired certificates can typically still be renewed through Apple.
Will changing the expired certificate in the policy update it on enrolled devices?
No. Push certificates are only applied to devices at the time of enrollment. Updating the certificate in a policy's MDM enrollment profile will only affect future enrollments — previously enrolled devices will retain the expired certificate.
Can I move a device to a different policy with a current certificate?
No. Moving a device to a policy with a current push certificate will not install that certificate on the device.
Option 1: Renew the Push Certificate
This is always the recommended first step, even if the push certificate has already expired (Apple will typically allow for it to be renewed anyway). For instructions, see: Renewing Apple Push Certificates.
If you cannot access the Apple ID associated with the certificate, or don't know which Apple ID was used, you can contact Apple directly for assistance. For steps on what is needed for this process, kindly reference this great article from Rich Trouton @ DerFlounder.
Note: You can look up the certificate details in Addigy by navigating to Account > MDM Settings, clicking the ... menu next to the certificate, and selecting Info. The certificate serial number can also be retrieved locally on the device — see this workflow for details.
Option 2: Re-enroll the Device
If the certificate cannot be renewed for any reason, the device(s) will need to be re-enrolled. Re-enrollment removes the MDM profile containing the expired certificate and replaces it with a new one containing the current certificate.
Important: Before re-enrolling any devices, confirm that a current, valid push certificate is applied to the Addigy policy.
iOS, iPadOS, and tvOS
Enrolled via Automated Device Enrollment (ADE) / Supervised: Per Apple, supervised devices on an expired push certificate must be wiped and re-enrolled.
Manually enrolled (Unsupervised): The MDM enrollment profile containing the expired certificate can be removed locally on the device. Once removed, install the updated enrollment profile with the current push certificate and approve the MDM installation.
macOS
Enrolled via ADE: First determine whether non-removable MDM is in use, as this affects the workflow.
- Non-removable MDM: One option is to wipe the device. Alternatively, MDM can be manually removed by disabling SIP. See: Removing Non-Removable MDMs by Disabling SIP.
- Once MDM is removable: Remove the enrollment profile in System Settings > Privacy & Security > Profiles, then run the command covered in: Overview: Using the 'sudo profiles renew -type enrollment' Command.
Manually enrolled (Not ADE): Follow the steps below to remove the existing MDM profile and re-install it with the updated certificate.
-
On the Devices page, expand the device's actions and click Remove Device.
-
In the dialog that appears, select Remove MDM Profile.
Note: Any configurations deployed via Device Settings will be temporarily removed when the MDM profile is removed. Review your Device Settings deployments beforehand to avoid unexpected behavior.
- Wait approximately 5 minutes for Addigy to recognize that MDM has been removed from the device.
-
From the Devices page, click Install MDM on the device.
-
On the device, a prompt will appear — instruct the end user to click Install.
-
The Profiles section in System Settings will open automatically. Instruct the end user to double-click the downloaded profile and click Enroll.
-
When prompted, enter admin credentials to complete enrollment. The device will now have the updated push certificate.