In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS or macOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check-in with the Meraki Dashboard, and receive any pending commands. In order for Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed on all enrolled devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOS and macOS devices during Systems Manager enrollment.
Apple requires this certificate be renewed every 365 days. The process for renewing the Apple Push Certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOS and macOS devices will appear offline and be unable to receive MDM commands unless they are re-enrolled.
Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
Please be sure to follow these instructions carefully, as mistakes can cause the original certificate to be lost, requiring manual re-enrollment of every managed device. Prior to the start of this process, it is strongly recommended to download the existing certificate from identity.apple.com as a backup.
To create and upload an Apple push certificate to manage your iOS or macOS devices through Systems Manager, complete the 5 steps found on the Organization > MDM > Apple MDM page, also shown below.
Note: Best practice is to use an Apple ID in the Apple Push Certificate Portal that belongs to your organization rather than a personal account, if possible. Losing access to the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices.
A valid certificate generated from the Apple Push Certificate Portal is named MDM_ Meraki Inc._Certificate.pem. If the push certificate you create is listed under a different name, the certificate will not be accepted when uploaded into Dashboard (re-naming the file will not resolve the issue).
The most common cause for this error is when the process is completed using Internet Explorer. There are a few known compatibility issues with Internet Explorer, so it is recommended you obtain the certificate using the latest version of Google Chrome or Mozilla Firefox.
After 365 days, the Apple Push Notification service certificate will expire so be sure to renew the Apple Push certificate accordingly. In order to keep the previously enrolled devices remaining enrolled, it is important to renew this same exact certificate.
If you have renewed your Apple Push Notification Service certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal. To troubleshoot, we'll walk through recovering the APNS communications chain and re-establishing contact with these devices through APNS.
If you unintentionally created a new cert instead of renewing the existing certificate, try using the following steps to resolve this issue.
APNS certificates are generated uniquely, but all certs for a given certificate chain will share a common Subject which includes the Push Topic (generally a common identifier for the set of devices this push request can communicate with). Dashboard presents the current push topic under Organization > MDM > Apple MDM:
Before renewing, you can use this value to ensure you're renewing the appropriate certificate by checking this Topic against the values listed in Apple's Identity Portal:
Note: If you don't have access to the Apple Push Portal, but do have access to push certificates, you may run a command similar to the following to identify the correct certificate for renewal (or for providing to Apple to find the correct account to renew from):
user$ openssl x509 -in /path/to/cert.pem -noout -text | grep 'Subject:'
Which should result in:
Subject: UID=com.apple.mgmt.External.f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, CN=APSP:f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, C=US
Following an APNS Certificate renewal, if you see an error message indicating an APNS mismatch under Systems Manager > Manage > Add Devices > iOS or macOS, you may have renewed with the wrong certificate. If this is the case, there are two simple recovery options.
If you have access to the previous APNS certificate, you can put it back into Dashboard and reestablish communication using the following steps:
This will reestablish communication with your enrolled devices while you determine what went wrong with the previous renewal.
If you don't have access to a copy of the old APNS Certificate, Meraki Support can provide you with a copy of the old APNS Topic which you can use to identify the correct APNS certificate for renewal by using the information above. You can then follow the normal process for renewing an APNS certificate.
It is only possible to renew the push certificate using the same Apple ID that was originally used. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated. This can be done by clicking Update/renew certificate and following the steps presented to generate a new certificate. When this is done, all previously enrolled Apple devices will need to be re-enrolled. To avoid this, be sure to track the Apple ID used to sign the cert, and contact Apple Support for assistance if necessary.
If there are multiple accounts that are suspected of being used to generate the certificate, the following items can be checked to confirm whether a certificate is the correct one:
For more information on how the Apple Push Notification Service works, please reference Apple's documentation.