Apple MDM Push Certificate
In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS or macOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check-in with the Meraki Dashboard, and receive any pending commands. In order for Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed on all enrolled devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOS and macOS devices during Systems Manager enrollment.
Apple requires this certificate be renewed every 365 days. The process for renewing the Apple Push Certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOS and macOS devices will appear offline and be unable to receive MDM commands unless they are re-enrolled.
Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
Please be sure to follow these instructions carefully, as mistakes can cause the original certificate to be lost, requiring manual re-enrollment of every managed device. Prior to the start of this process, it is strongly recommended to download the existing .pem certificate from identity.apple.com and from Dashboard in Organization > MDM as a backup.
Creating an Apple MDM Push Certificate
To create and upload an Apple push certificate to manage your iOS, iPadOS, macOS, and tvOS devices through Systems Manager, complete the 5 steps found on the Organization > MDM > Apple MDM page, also shown below.
Note: Best practice is to use an Apple ID in the Apple Push Certificate Portal that belongs to your organization rather than a personal account, if possible. Losing access to the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices.
A valid certificate generated from the Apple Push Certificate Portal is named MDM_ Meraki Inc._Certificate.pem. If the push certificate you create is listed under a different name, the certificate will not be accepted when uploaded into Dashboard (re-naming the file will not resolve the issue).
The most common cause for this error is when the process is completed using Internet Explorer. There are a few known compatibility issues with Internet Explorer, so it is recommended you obtain the certificate using the latest version of Google Chrome or Mozilla Firefox.
After 365 days, the Apple Push Notification service certificate will expire so be sure to renew the Apple Push certificate accordingly. In order to keep the previously enrolled devices remaining enrolled, it is important to renew this same exact certificate.
Renewing an Apple MDM Push Certificate
- Download Meraki CSR file from Organization > MDM page.
- Log in to Apple's Push Notification Portal with the same Apple ID used to create the current push certificate.
Note: If the Apple ID is not known, review the Apple ID is unknown section below. Not using the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices. - Find the expiring certificate, and select Renew (do not revoke or download the expiring certificate, do not create a new certificate).
- Upload CSR downloaded as per Step #1.
- Download the renewed certificate from Apple, and upload into Dashboard.
- Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).
Detailed Instructions
- In Dashboard, navigate to Organization > MDM.
- Under Apple MDM click Update/renew certificate.
- Download the Meraki signed certificate signing request (CSR) file, labeled as Meraki_Apple_CSR.csr.
- In another browser window or tab, go to the Apple Push Certificates Portal.
- Login with the Apple ID that was originally used to create the push certificate. The Apple ID must be the same.
Note: If the Apple ID is not known, review the If the push certificate Apple ID is unknown section below. - Find the certificate that matches the expiration date listed in Dashboard. If uncertain, refer to the section below. Then click Renew.
Note: Do not Revoke the certificate or Create a Certificate. Both of these options will result in all Apple devices requiring re-enrollment.
- Click Choose File and browse to the CSR file downloaded earlier. The click Upload.
Note: Make sure to select the CSR file that was downloaded in Step 3 above, as multiple CSR files can have similar names.
- The next page confirms that the certificate was renewed successfully and includes the new expiration date.
- Click Download to get the new certificate.
- Back in Dashboard, in Step 3, enter the Apple ID that was used to renew the certificate. This makes it easier to track which Apple ID was used, and should be reused for the next renewal.
- Click on Choose File in Step 4, and browse to the certificate that was just downloaded. This file should begin with "MDM_Meraki".
Note: Make sure this is the certificate that was just downloaded, as multiple certificates can have similar names.
- Once the certificate is uploaded, click Test Certificate.
- This should confirm that the certificate is valid and functional.
Troubleshooting Apple MDM Push Certificate Renewal
If you have renewed your Apple Push Notification Service certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal. To troubleshoot, we'll walk through recovering the APNS communications chain and re-establishing contact with these devices through APNS.
I Created a New Cert Instead of Renewing the Existing One
If you unintentionally created a new cert instead of renewing the existing certificate, try using the following steps to resolve this issue.
Revert to the organization previous APNS certificate
With the "Revert Certificate" button you can revert your Organization back to the previously uploaded APNS certificate.
Identifying the Correct APNS Certificate
APNS certificates are generated uniquely, but all certs for a given certificate chain will share a common Subject which includes the Push Topic (generally a common identifier for the set of devices this push request can communicate with). Dashboard presents the current push topic under Organization > MDM > Apple MDM:
Before renewing, you can use this value to ensure you're renewing the appropriate certificate by checking this Topic against the values listed in Apple's Identity Portal:
Note: If you don't have access to the Apple Push Portal, but do have access to push certificates, you may run a command similar to the following to identify the correct certificate for renewal (or for providing to Apple to find the correct account to renew from):
user$ openssl x509 -in /path/to/cert.pem -noout -text | grep 'Subject:'
Which should result in:
Subject: UID=com.apple.mgmt.External.f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, CN=APSP:f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, C=US
Incorrect Certificate was Used/Renewed
Following an APNS Certificate renewal, if you see an error message indicating an APNS mismatch under Systems Manager > Manage > Add Devices > iOS or macOS, you may have renewed with the wrong certificate. If this is the case, there are two simple recovery options.
Upload the Old APNS Certificate to Dashboard
If you have access to the previous APNS certificate, you can put it back into Dashboard and reestablish communication using the following steps:
- Navigate to Organization > MDM.
- Click the Update/Renew button.
- Skip steps one and two, jumping immediately to step 3. Fill in the Apple ID used to generate the old APNS certificate.
- Upload the old APNS certificate to dashboard.
- Save Changes.
This will reestablish communication with your enrolled devices while you determine what went wrong with the previous renewal.
Renew the Correct APNS Certificate
If you don't have access to a copy of the old APNS Certificate, Meraki Support can provide you with a copy of the old APNS Topic which you can use to identify the correct APNS certificate for renewal by using the information above. You can then follow the normal process for renewing an APNS certificate.
I Forgot Which Apple ID was Originally Used
It is only possible to renew the push certificate using the same Apple ID that was originally used. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated. This can be done by clicking Update/renew certificate and following the steps presented to generate a new certificate. When this is done, all previously enrolled Apple devices will need to be re-enrolled. To avoid this, be sure to track the Apple ID used to sign the cert, and contact Apple Support for assistance if necessary.
Finding the Original Apple ID
If there are multiple accounts that are suspected of being used to generate the certificate, the following items can be checked to confirm whether a certificate is the correct one:
- Navigate to Organization > MDM > Apple MDM in Dashboard.
- Take note of the Apple push topic (UID in the screenshot below) and Expires on date (Expiration Date in the screenshot below).
- Navigate to the Apple Push Certificate Portal.
- If any Certificates for Third-Party Servers are listed, look for one with a Vendor of "Meraki Inc.".
- Verify that the Expiration Date matches what was displayed in Dashboard.
.
- Click the info icon (i) to pull up the detailed information about the certificate.
- Verify that the UID displayed matches the Apple push topic from Dashboard exactly.
- If the Expiration Date and UID match Dashboard exactly, then the certificate has been correctly identified. Follow the instructions in the first half of this article to renew the existing certificate.
Note: To reduce the likelihood of this occurring again, make sure the Apple ID used is entered in Dashboard following the renewal. We recommend using a generic account that is not tied to a specific user, or a distribution list, such as mdm@example.com.
Recovering an orphaned APNs Push Cert/Topic
If you cannot access the account associated with your Organization's Push Certificate, you will need to contact Apple Support for assistance utilizing the instructions found here: https://support.apple.com/en-gb/118629.
When doing so, be prepared to provide as much information about the current certificate as you can, this includes, but is not limited to:
- Government-issued photo ID
- Employment verification document from your organisation or employer
- Employee badge or business card
- Copy of the APNs certificate / APNs serial number
The currently used push certificate may be downloaded from Dashboard by Admins with Organization Write permissions on the Organization > MDM page via the Download Certificate button in the Apple MDM subheading. The serial of the certificate may then be found via the following openssl command:
openssl x509 -in [/path/to/cert.pem] -noout -text | grep 'Serial'
Please reference Apple's documentation for more information on how the Apple Push Notification Service works.