Apple Push Certificates expire on a yearly basis and must be renewed before expiration to maintain a connection to MDM.
Renewing Apple Push Certificates
Will changing the expired certificate in the policy add it to enrolled devices?
No. Apple Push Certificates are only added to devices at the time of enrollment. Changing the push certificate used in a policy's MDM enrollment profile will only affect future enrollments; the expired certificate will remain on previously enrolled devices.
Can I add it to a different policy where the push certificate is current?
No. Moving a device to a policy with a current certificate will not install that policy's push certificate on the device.
What can I do?
Renew the push certificate
We always recommend that you attempt a renewal of the push certificate. Even if it is expired, Apple will typically allow for it to be renewed anyway. For steps on renewing the push certificate, kindly reference our article: Renewing Apple Push Certificates
If you cannot access the Apple ID that managed the push certificate OR you do not know which Apple ID managed the cert, you can reach out to Apple for further assistance. For steps on what is needed for this process, kindly reference this great article from Rich Trouton @ DerFlounder.
Note: Most of this information, except for the push certificate serial number, can be retrieved in Addigy via Account > MDM settings. The cert serial can be retrieved locally on a device using this workflow.
If you cannot retrieve the push certificate serial number from a device, kindly contact our Support team for further assistance.
Re-enroll the device
If the certificate cannot be renewed for any reason, it will be necessary to re-enroll the device. This will remove the MDM enrollment profile containing the expired certificate. When the device is re-enrolled, the enrollment profile will contain the new certificate.
Note: You will want to ensure a new, up-to-date push certificate is applied in the Addigy policy prior to re-enrolling any devices.
For mobile devices (iOS, iPadOS, tvOS):
Enrolled via Automated Device Enrollment (ADE) (Supervised):
If a mobile device enrolled via ADE is on an expired push certificate, per Apple, the device must be wiped.
Manually enrolled (Unsupervised):
For unsupervised devices, the MDM profile with the expired push certificate can be removed locally. Once removed, the enrollment profile with the up-to-date push certificate can be installed and subsequently approve the MDM installation.
For macOS:
Enrolled via Automated Device Enrollment (ADE):
If your macOS devices are enrolled via ADE, it is important to note whether non-removable MDM is being used as that will dictate the workflow.
If non-removable MDM is being used, one option is to wipe the device. Alternatively, MDM can be manually removed by disabling SIP. More details on this workflow can be found here: Removing non-removable MDMs by disabling SIP
Once MDM is removable (or if it already is removable), simply remove the enrollment MDM profile in System Settings > Privacy & Security > Profiles. Then, run the following command discussed in the following KB: Overview: Using the 'sudo profiles renew -type enrollment" Command
Manually enrolled (Not ADE):
Attached to this article is a script that will download the MDM Enrollment Profile with the correct certificate. This approach allows for re-enrolling devices MDM without needing to manually remove it, but, an admin user's credentials still must be provided locally.
When using the script, make sure to replace line 8 with the MDM install link of the policy where you will be re-enrolling these devices.
After you run the script, the following is the workflow for the end-user:
-
The following prompt will appear. Click Install.
-
Open System Preferences >> Profiles and click on the Install button.
- The user will be prompted to enter an admin password. After submitting the credentials, the new push certificate will be on the device.