Home > Enterprise Mobility Management > Device Enrollment > Renewing an Apple MDM Push Certificate

Renewing an Apple MDM Push Certificate

In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check-in with the Meraki Dashboard, and receive any pending commands. In order for Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed on enrolled iOS devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOS devices during Systems Manager enrollment. 

 

Apple requires this certificate be renewed every 365 days.  The process for renewing the Apple Push Certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOS devices will appear offlien and be unable to receive MDM commands unless they are re-enrolled.

  • Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
  • Note: For instructions on initially creating and uploading a push notification certificate, please consult the 5-step process on the Organization > MDM page or see here.

Please be sure to follow these instructions carefully, as mistakes can cause the original certificate to be lost, requiring manual re-enrollment of every managed device. Prior to the start of this process, it is strongly recommended to download the existing certificate from identity.apple.com as a backup.

General Overview

  1. Download Meraki CSR file from Organization > MDM page.
  2. Log in to Apple's Push Notification Portal with same Apple ID used to create the current push certificate.
    Note: If the Apple ID is not known, review the Apple ID is unknown section below.
  3. Find the expiring certificate, and select Renew (do not revoke expiring certificate, nor create a new certificate).
  4. Upload CSR downloaded as per Step #1.
  5. Download renewed certificate from Apple, and upload into Dashboard.
  6. Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).

Detailed Instructions

  1. In Dashboard, navigate to Organization > MDM.
  2. Under Apple MDM click Update/renew certificate.


     
  3. Download the Meraki signed certificate signing request (CSR) file, labeled as Meraki_Apple_CSR.csr.
  4. In another browser window or tab, go to the Apple Push Certificates Portal.
  5. Login with the Apple ID that was originally used to create the push certificate. The Apple ID must be the same.
    Note: If the Apple ID is not known, review the If the push certificate Apple ID is unknown section below.
  6. Find the certificate that matches the expiration date listed in Dashboard. If uncertain, refer to the section below. Then click Renew.
    Note: Do not Revoke the certificate or Create a Certificate. Both of these options will result in all Apple devices requiring re-enrollment.

     
  7. Click Choose File and browse to the CSR file downloaded earlier. The click Upload.
    Note: Make sure to select the CSR file that was downloaded in Step 3 above, as multiple CSR files can have similar names.

     
  8. The next page confirms that the certificate was renewed successfully and includes the new expiration date.
  9. Click Download to get the new certificate.

     
  10. Back in Dashboard, in Step 3, enter the Apple ID that was used to renew the certificate. This makes it easier to track which Apple ID was used, and should be reused for the next renewal.
  11. Click on Choose File in Step 4, and browse to the certificate that was just downloaded. This file should begin with "MDM_Meraki".
    Note: Make sure this is the certificate that was just downloaded, as multiple certificates can have similar names.

     
  12. Once the certificate is uploaded, click Test Certificate.

     
  13. This should confirm that the certificate is valid and functional.

     
  14. This can also be confirmed from a Systems Manager network, under MDM > Add devices > iOS > Apple push certificate status.

Issues Renewing the Push Certificate

I created a new cert instead of renewing the existing one

See this article for troubleshooting steps.

I forgot which Apple ID was originally used

It is only possible to renew the push certificate using the same Apple ID that was originally used. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated. This can be done by clicking Update/renew certificate and following the steps presented to generate a new certificate. When this is done, all previously enrolled Apple devices will need to be re-enrolled. To avoid this, be sure to track the Apple ID used to sign the cert, and contact Apple Support for assistance if necessary.

Finding the Original Apple ID

If there are multiple accounts that are suspected of being used to generate the certificate, the following items can be checked to confirm whether a certificate is the correct one:

  1. Navigate to Organization > MDM > Apple MDM in Dashboard.
  2. Take note of the Apple push topic (UID in the screenshot below) and Expires on date (Expiration Date in the screenshot below).

     
  3. Navigate to the Apple Push Certificate Portal.
  4. If any Certificates for Third-Party Servers are listed, look for one with a Vendor of "Meraki Inc.".
  5. Verify that the Expiration Date matches what was displayed in Dashboard.
    .
     
  6. Click the info icon  (i) to pull up the detailed information about the certificate.

     
  7. Verify that the UID displayed matches the Apple push topic from Dashboard exactly.

     
  8. If the Expiration Date and UID match Dashboard exactly, then the certificate has been correctly identified. Follow the instructions in the first half of this article to renew the existing certificate.
    Note: To reduce the likelihood of this occurring again, make sure the Apple ID used is entered in Dashboard following the renewal. We recommend using a generic account that is not tied to a specific user, or a distribution list, such as mdm@example.com.

 

For more information on how the Apple Push Notification Service works, please reference Apple's documentation.

You must to post a comment.
Last modified
13:35, 17 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1288

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case