Apple MDM Push Certificate
In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS or macOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check in with the Meraki Dashboard and receive any pending commands. For Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed on all enrolled devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOS and macOS devices during Systems Manager enrollment.
Apple requires this certificate to be renewed every 365 days. The process for renewing the Apple MDM push certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOS and macOS devices will appear offline and be unable to receive MDM commands unless they are re-enrolled.
Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
Please be sure to follow these instructions carefully, as mistakes can cause the original certificate to be lost, requiring manual re-enrollment of every managed device. It is strongly recommended to download the existing .pem certificate from identity.apple.com and Dashboard in Organization > MDM as a backup before making any changes.
Creating an Apple MDM Push Certificate
To create and upload an Apple MDM push certificate navigate to the Organization > MDM page, and below the "Apple MDM push certificate" section click the "Add certificate" button.
- Download your certificate signing request (CSR), signed by Meraki
- Upload your CSR to Apple's Push Certificate Portal and download your Push Certificate
- Enter the Apple ID used to generate the certificate
Note: Best practice is to create the Apple MDM push certificate with an Apple ID that belongs to your organization as losing access to the original Apple ID (and therefore the original Apple MDM push certificate) would result in losing management of the previously enrolled devices.
4. Upload your push certificate (MDM_Meraki_Inc_Certificate.pem) to Dashboard
Renewing an Apple MDM Push Certificate
To renew an Apple MDM push certificate navigate to the Organization > MDM page, and below the "Apple MDM push certificate" section click the "Renew" button.
- Download Meraki CSR file from Organization > MDM page
- Log in to Apple's Push Notification Portal with the same Apple ID used to create the current push certificate.
- Find the expiring certificate, and select Renew (do not revoke or download the expiring certificate, do not create a new certificate).
- Enter the Apple ID used to generate the certificate
- Upload your push certificate (MDM_Meraki_Inc_Certificate.pem) to Dashboard
Troubleshooting Apple MDM Push Certificate Renewal
If you have renewed your Apple MDM push certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal. Please follow the steps below to revert and renew the previous certificate.
Revert to the previous Apple MDM push certificate
To revert to the previous Apple MDM push certificate navigate to the Organization > MDM page, and below the "Apple MDM push certificate" section click the "Revert" button then confirm this choice on the pop-up window.
Any devices enrolled with the new certificate will need to be re-enrolled after reverting to the previous certificate.
Identifying the Correct Apple MDM Push Certificate
To identify the correct Apple MDM push certificate:
-
Navigate to the Organization > MDM page
- Make note of the Apple push topic and the Expires on date
- Navigate to the Apple Push Certificate Portal.
- Look for any certificates with a Vendor of "Meraki Inc.".
- Verify that the Expiration Date matches what was displayed in Dashboard.
Click the info icon (i) to pull up the detailed information about the certificate and verify that the UID matches the Apple push topic.
I Forgot Which Apple ID was Originally Used
It is only possible to renew the Apple MDM push certificate using the same Apple ID that was originally used to create it. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated requiring all previously enrolled Apple devices to be re-enrolled.
Recovering an orphaned Apple MDM push certificate/topic
If you cannot access the account associated with your Organization's Push Certificate, you will need to contact Apple Support for assistance utilizing the instructions found here: https://support.apple.com/en-gb/118629.
When doing so, be prepared to provide as much information about the current certificate as you can, this includes, but is not limited to:
- Government-issued photo ID
- Employment verification document from your organisation or employer
- Employee badge or business card
- Copy of the MDM push certificate
- Serial number of the MDM push certificate
The currently used push certificate may be downloaded by Admins with organizational write permissions via the 'Download Certificate' button on the Organization > MDM page.
The serial number of the certificate can be found via the following openssl command:
openssl x509 -in [/path/to/cert.pem] -noout -text | grep 'Serial'
Please reference Apple's documentation for more information on how the Apple Push Notification Service works.