Home > Enterprise Mobility Management > Device Enrollment > Troubleshooting Apple MDM Push Certificate Renewal

Troubleshooting Apple MDM Push Certificate Renewal

If you have renewed your Apple Push Notification Service certificate and Dashboard is reporting that your devices are offline and out of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal.  This article walks through recovering the APNS communications chain and re-establishing contact with these devices through APNS.

Identifying the Correct APNS Certificate

APNS certificates are generated uniquely, but all certs for a given certificate chain will share a common Subject which includes the Push Topic (generally a common identifier for the set of devices this push request can communicate with). Dashboard presents the current push topic under Organization > MDM > Apple MDM:

Before renewing, you can use this value to ensure you're renewing the appropriate certificate by checking this Topic against the values listed in Apple's Identity Portal:

NOTE: If you don't have access to the Apple Push Portal, but do have access to push certificates, you may run a command similar to the following to identify the correct certificate for renewal (or for providing to Apple to find the correct account to renew from):

user$ openssl x509 -in /path/to/cert.pem -noout -text | grep 'Subject:'

Which should result in:

Subject: UID=com.apple.mgmt.External.f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, CN=APSP:f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, C=US


Incorrect Certificate was Used/Renewed

Following an APNS Certificate renewal, if you see the following message under Systems Manager > MDM > Add Devices (return to the old look) > iOS or OSX, you may have renewed with the wrong certificate:


If this is the case, there are two simple recovery options:

Upload the Old APNS Certificate to Dashboard

If you have access to the previous APNS certificate, you can put it back into Dashboard and reestablish communication using the following steps:

  1. Navigate to Organization > MDM.
  2. Click the Update/Renew button.
  3. Skip steps one and two, jumping immediately to step 3. Fill in the Apple ID used to generate the old APNS certificate.
  4. Upload the old APNS certificate to dashboard.
  5. Save Changes.

This will reestablish communication with your enrolled devices while you determine what went wrong with the previous renewal. 

Renew the Correct APNS Certificate

If you don't have access to a copy of the old APNS Certificate, Meraki Support can provide you with a copy of the old APNS Topic which you can use to identify the correct APNS certificate for renewal by using the information above. You can then follow the normal process for renewing an APNS certificate.

You must to post a comment.
Last modified
10:44, 19 Jul 2017


This page has no custom tags.


This page has no classifications.

Article ID

ID: 4957

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case