Home > Enterprise Mobility Management > Device Enrollment > Troubleshooting Apple MDM Push Certificate Renewal

Troubleshooting Apple MDM Push Certificate Renewal

If you have renewed your Apple Push Notification Service certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal.  This article walks through recovering the APNS communications chain and re-establishing contact with these devices through APNS.

Identifying the Correct APNS Certificate

APNS certificates are generated uniquely, but all certs for a given certificate chain will share a common Subject which includes the Push Topic (generally a common identifier for the set of devices this push request can communicate with). Dashboard presents the current push topic under Organization > MDM > Apple MDM:

Before renewing, you can use this value to ensure you're renewing the appropriate certificate by checking this Topic against the values listed in Apple's Identity Portal:

NOTE: If you don't have access to the Apple Push Portal, but do have access to push certificates, you may run a command similar to the following to identify the correct certificate for renewal (or for providing to Apple to find the correct account to renew from):

user$ openssl x509 -in /path/to/cert.pem -noout -text | grep 'Subject:'

Which should result in:

Subject: UID=com.apple.mgmt.External.f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, CN=APSP:f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, C=US


Incorrect Certificate was Used/Renewed

Following an APNS Certificate renewal, if you see an error message indicating an APNS mismatch under Systems Manager > MDM > Add Devices > iOS or macOS, you may have renewed with the wrong certificate. If this is the case, there are two simple recovery options.

Upload the Old APNS Certificate to Dashboard

If you have access to the previous APNS certificate, you can put it back into Dashboard and reestablish communication using the following steps:

  1. Navigate to Organization > MDM.
  2. Click the Update/Renew button.
  3. Skip steps one and two, jumping immediately to step 3. Fill in the Apple ID used to generate the old APNS certificate.
  4. Upload the old APNS certificate to dashboard.
  5. Save Changes.

This will reestablish communication with your enrolled devices while you determine what went wrong with the previous renewal. 

Renew the Correct APNS Certificate

If you don't have access to a copy of the old APNS Certificate, Meraki Support can provide you with a copy of the old APNS Topic which you can use to identify the correct APNS certificate for renewal by using the information above. You can then follow the normal process for renewing an APNS certificate.

You must to post a comment.
Last modified
16:00, 16 Oct 2017



This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community