Affected Products:
APN's certificates must be renewed annually to retain MDM functionality on iOS devices. iOS devices cannot be managed without a valid APNs Certificate. If an APN's certificate expires, a new APN must be generated and all previously enrolled devices must be reenrolled.
Note: To perform this task, ensure that your Workspace ONE Admin Account has access to the highest Workspace ONE Organization Group. Also, you must perform this task at the Organization Group level where the certificate was originally loaded. If your Admin Account does not have access to the highest Organization Group, you may not be able to access the necessary settings.
The below resolution details this process. This process has two requirements:
- Workspace ONE recommends using the Google Chrome or Mozilla Firefox browsers. Internet Explorer can download the required files into the wrong format (JSON in this case).
- Once the Renew button has been clicked in the APNs for MDM window, do not navigate away from the renewal window or close it. Each .plist file is unique when Renew is clicked and this sometimes generates a mismatch error when uploading the .pem file from Apple's end.
Steps to renew the APN's certificate:
Note: Renew the certificate with the same Apple ID credentials used to get the original certificate. It is also important to renew the same certificate originally uploaded in the console.
If you use different credentials or renew a different certificate, you are not renewing the certificate but generating a new certificate. When you apply this new certificate to the Workspace ONE Admin Console, the communication breaks between the Workspace ONE Admin Console and the iOS devices that are associated with the original certificate. If this happens, you must then reenroll every iOS device that is associated with the original certificate. Using the same Apple ID credentials and certificate for renewal saves the effort of having to reenroll all your iOS devices.
- Go to Groups & Settings > All Settings > Devices & Users > Apple > APNs For MDM.
Note: Write down the User Identification (UID) certificate that must be renewed, shown in the details in the red box below. If you have registered for more than one Apple Push Notification certificate on the Apple Push Certificate Portal, you must use the UID to identify and renew the correct certificate.
- Click Renew
- Follow the prompts on the screen to view the instructions and then click MDM_APNsRequest.plist to download the Workspace ONE Certificate request. Once you have downloaded it, click Go To Apple.
- Sign into the Apple Push Certificates Portal website using the same Apple ID used to sign in and request the original certificate. If you have two-factor authentication enable, verify your identity by entering your Verification Code.
If the Go To Apple button fails to direct you to the portal, open a new tab and go to: https://identity.apple.com/pushcert/
- On the Apple Push Certificates Portal website, select the icon to find the correct certificates by its UID if you have more than one certificate on the portal. Click Renew on the certificate due to expire.
- Click Choose File and go to the Workspace ONE-signed CSR downloaded in Step 3; it should be named MDM_APNsRequest.plist. Select Upload.
- Select Download on the Confirmation screen to download the new push certificate from the Apple Portal.
- Go back to the Workspace ONE Console in your browser and select Next on the APNs for MDM Step 1 page.
- For the top box, select Upload and then on the next screen select Choose File and then find and select the MDM_Workspace ONE_Certificate.pem file that you downloaded in Step 7, and finally select Open. This returns you to the APNs for MDM Step 2 screen, and you must enter the Apple ID into the bottom box that was used to sign in on Step 4.
- Once both boxes are filled out, select Save. This is a restricted action, so you must put in your Security PIN to authorize the changes. You return to the APNs for MDM summary screen with a Saved Successfully message.
Note: When generating and renewing at a top-level Organization Group, set child groups to inherit or override settings.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.