Apple MDM Push Certificate
In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS or macOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check in with the Meraki Dashboard and receive any pending commands. For Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed on all enrolled devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOS and macOS devices during Systems Manager enrollment.
Apple requires this certificate to be renewed every 365 days. The process for renewing the Apple MDM push certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOS and macOS devices will appear offline and be unable to receive MDM commands unless they are re-enrolled.
Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
Please be sure to follow these instructions carefully, as mistakes can cause the original certificate to be lost, requiring manual re-enrollment of every managed device. It is strongly recommended to download the existing .pem certificate from identity.apple.com and Dashboard in Organization > MDM as a backup before making any changes.
Creating an Apple MDM Push Certificate
To create and upload an Apple MDM push certificate navigate to the Organization > MDM page, and below the "Apple MDM push certificate" section click the "Add certificate" button.
- Download your certificate signing request (CSR), signed by Meraki
- Upload your CSR to Apple's Push Certificate Portal and download your Push Certificate
- Enter the Apple ID used to generate the certificate
Note: Best practice is to create the Apple MDM push certificate with an Apple ID that belongs to your organization as losing access to the original Apple ID (and therefore the original Apple MDM push certificate) would result in losing management of the previously enrolled devices.
4. Upload your push certificate (MDM_Meraki_Inc_Certificate.pem) to Dashboard
Renewing an Apple MDM Push Certificate
Follow the steps in this section carefully!
- If you mistakenly upload the wrong file or an old certificate, the renewal will fail, and your MDM functionality may be interrupted.
- Do not revoke, download, or create a new certificate within the Apple Push Certificates portal, click the "Renew" option only.
- Ensure you're entering the same Apple ID for both the Meraki Dashboard and Apple Push Notification Portal.
- Be cautious when uploading files; ensure you're uploading the correct files in Dashboard and the Apple Push Certificates portal.
Step 1: Download the Meraki CSR (Certificate Signing Request) File
- Log in to the Meraki Dashboard.
- Navigate to Organization > MDM.
- In the "Apple MDM push certificate" section, make note of the apple ID, and click the Renew button:
- Download the CSR file from the MDM page. This CSR is required in later steps:
Step 2: Log in to Apple's Push Notification Portal
- Open the Apple Push Certificates Portal by clicking the hyperlink:
- Log in using the same Apple ID that was used to create the current MDM push certificate (this should be the Apple ID shown in step 1). This must be the exact same Apple ID used when the original certificate was created. If you use a different Apple ID, the process will fail.
Step 3: Locate and Renew the Expiring Certificate
- In the Apple Push Notification Portal, locate the expiring MDM push certificate. If multiple entries are present in the list, follow the instructions in section "Identifying the Correct Apple MDM Push Certificate" to identify the correct certificate.
- Click the "Renew" button next to the expiring certificate. Do not revoke, download, or create a new certificate. Only use the Renew option at this stage in the process.
- The apple portal will request a "Vendor-Signed Certificate Signing Request" file. Click "choose file" then upload the .csr file from step 1 (Meraki_Apple_CSR.csr), once selected, click "Upload":
- A confirmation page will appear offering the opportunity to download the renewed certificate, click the "Download" button:
- Once the new push certificate is confirmed, you will receive a file with the extension .pem (e.g., MDM_Meraki_Inc_Certificate.pem).
Step 4: Enter the Apple ID and Upload the CSR File
- Return to your Meraki Dashboard Organization > MDM page to continue the process.
- Enter the same Apple ID you used earlier in the process:
- Upload the newly downloaded .pem certificate file (e.g., MDM_Meraki_Inc_Certificate.pem):
- Click the "Renew" button to finish the renewal process.
Troubleshooting Apple MDM Push Certificate Renewal
If you have renewed your Apple MDM push certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal. Please follow the steps below to revert and renew the previous certificate.
Revert to the previous Apple MDM push certificate
To revert to the previous Apple MDM push certificate navigate to the Organization > MDM page, and below the "Apple MDM push certificate" section click the "Revert" button then confirm this choice on the pop-up window.
Any devices enrolled with the new certificate will need to be re-enrolled after reverting to the previous certificate.
Identifying the Correct Apple MDM Push Certificate
To identify the correct Apple MDM push certificate:
-
Navigate to the Organization > MDM page
- Make note of the Apple push topic and the Expires on date
- Navigate to the Apple Push Certificate Portal.
- Look for any certificates with a Vendor of "Meraki Inc.".
- Verify that the Expiration Date matches what was displayed in Dashboard.
Click the info icon (i) to pull up the detailed information about the certificate and verify that the UID matches the Apple push topic.
I Forgot Which Apple ID was Originally Used
It is only possible to renew the Apple MDM push certificate using the same Apple ID that was originally used to create it. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated requiring all previously enrolled Apple devices to be re-enrolled.
Recovering an orphaned Apple MDM push certificate/topic
If you cannot access the account associated with your Organization's Push Certificate, you will need to contact Apple Support for assistance utilizing the instructions found here: https://support.apple.com/en-gb/118629.
When doing so, be prepared to provide as much information about the current certificate as you can, this includes, but is not limited to:
- Government-issued photo ID
- Employment verification document from your organisation or employer
- Employee badge or business card
- Copy of the MDM push certificate
- Serial number of the MDM push certificate
The currently used push certificate may be downloaded by Admins with organizational write permissions via the 'Download Certificate' button on the Organization > MDM page.
The serial number of the certificate can be found via the following openssl command:
openssl x509 -in [/path/to/cert.pem] -noout -text | grep 'Serial'
Please reference Apple's documentation for more information on how the Apple Push Notification Service works.