Apple Push Certificates expire on a yearly basis and must be renewed before expiration to maintain a connection to MDM. If an MDM push certificate expires, you risk losing MDM connectivity with your devices.
For steps on renewing the certificate, please view the following article: Renewing Apple Push Certificates
Will changing the expired certificate in the policy add it to enrolled devices?
No. Apple Push Certificates are only added to devices at the time of enrollment. Changing the push certificate used in a policy's MDM enrollment profile will only affect future enrollments; the expired certificate will remain on previously enrolled devices.
Can I add it to a different policy where the push certificate is current?
No. Moving a device to a policy with a current certificate will not install that policy's push certificate on the device.
What can I do?
Renew the push certificate
We always recommend that you attempt a renewal of the push certificate. Even if it is expired, Apple will typically allow for it to be renewed anyway. For steps on renewing the push certificate, kindly reference our article: Renewing Apple Push Certificates
If you cannot access the Apple ID that managed the push certificate OR you do not know which Apple ID managed the cert, you can reach out to Apple for further assistance. For steps on what is needed for this process, kindly reference this great article from Rich Trouton @ DerFlounder.
Note: This information can be retrieved in Addigy via Account > MDM settings and clicking the three buttons next to the certificate in question and choosing Info. Additionally, the cert serial can be retrieved locally on a device using this workflow.
Re-enroll the device
If the certificate cannot be renewed for any reason, it will be necessary to re-enroll the device. This will remove the MDM enrollment profile containing the expired certificate. When the device is re-enrolled, the enrollment profile will contain the new certificate.
Note: You will want to ensure a new, up-to-date push certificate is applied in the Addigy policy prior to re-enrolling any devices.
For mobile devices (iOS, iPadOS, tvOS):
Enrolled via Automated Device Enrollment (ADE) (Supervised):
If a mobile device enrolled via ADE is on an expired push certificate, per Apple, the device must be wiped.
Manually enrolled (Unsupervised):
For unsupervised devices, the MDM profile with the expired push certificate can be removed locally. Once removed, the enrollment profile with the up-to-date push certificate can be installed and subsequently approve the MDM installation.
For macOS:
Enrolled via Automated Device Enrollment (ADE):
If your macOS devices are enrolled via ADE, it is important to note whether non-removable MDM is being used as that will dictate the workflow.
If non-removable MDM is being used, one option is to wipe the device. Alternatively, MDM can be manually removed by disabling SIP. More details on this workflow can be found here: Removing non-removable MDMs by disabling SIP
Once MDM is removable (or if it already is removable), simply remove the enrollment MDM profile in System Settings > Privacy & Security > Profiles. Then, run the following command discussed in the following KB: Overview: Using the 'sudo profiles renew -type enrollment" Command
Manually enrolled (Not ADE):
If the device already has MDM installed but needs to move to a different push certificate, we will need to delete the MDM profiles from the device and use the "Install MDM" tool in Addigy.
To remove MDM from the device, simply navigate to the Devices page, expand the device actions, and select Remove Device:
A window will come up that gives a few options, we just want to select Remove MDM Profile.
Note: any settings or configurations deployed via MDM profiles will temporarily be removed. Please review what you are deploying via Addigy in terms of MDM profiles to ensure no unexpected behavior occurs.
Once MDM has been removed, you may need to wait roughly 5 minutes for Addigy to recognize the device no longer has MDM. From there, you can select Install MDM.
After that, a user with admin credentials on the device must perform the following workflow:
-
The following prompt will appear. Click Install.
-
It will open the Profiles section within System Settings. Here, you want to double-click the installed profile and choose Enroll.
- Once clicking "Enroll", the user will be prompted to enter an admin password. After submitting the credentials, the new push certificate will be on the device.