Apple Push Certificates expire on a yearly basis and must be renewed before expiration to maintain a connection to MDM.
Will changing the expired certificate in the policy add it to enrolled devices?
No. Apple Push Certificates are only added to devices at the time of enrollment. Changing the push certificate used in a policy's MDM enrollment profile will only affect future enrollments; the expired certificate will remain on previously enrolled devices.
Can I add it to a different policy where the push certificate is current?
No. Moving a device to a policy with a current certificate will not install that policy's push certificate on the device.
What can I do?
Depending on how long the certificate has been expired, it may be worth attempting to renew it.
If the certificate cannot be renewed, it will be necessary to re-enroll the device. This will remove the MDM enrollment profile containing the expired certificate. When the device is re-enrolled, the enrollment profile will contain the new certificate.
Attached to this article is a script that will download the MDM Enrollment Profile with the correct certificate. This approach allows for re-enrolling devices without removing them from your environment.
When using the script, make sure to replace line 8 with the MDM install link of the policy where you will be re-enrolling these devices.
After you run the script, the following is the workflow for the end-user:
- The following prompt will appear. Click Install.
- Open System Preferences >> Profiles and click on the Install button.
- The user will be prompted to enter an admin password. After submitting the credentials, the new push certificate will be on the device.