How to Generate an APNs Certificate for Workspace ONE

The Apple Push Notification service (APNs) is used to allow Workspace ONE to securely communicate to the smart device fleet over-the-air. Workspace ONE uses the APN's certificate to send notifications to devices when the Administrator requests information or during a defined monitoring schedule. No data is sent through the APN's server, only the notification.

• Access to the organization group’s Workspace ONE Administration Console
• Apple ID (or ability to create an Apple ID)
• Safari, Firefox, Chrome, or Edge web browser (Internet Explorer is not supported): Ensure to work through all the steps in this guide using the same browser session. The APN's generation process with Apple includes time-based and browser-based credentials for security purposes, which mandate following the steps in the Generating an APNs Certificate section to avoid any security or session-related errors. If one browser does not generate the certificate, try a different browser, but ensure to redo or complete all the steps in one session.

Generating the APN's certificate is a three-step process:

1. Download the AirWatch-signed CSR from the Workspace ONE Admin Console.
2. Upload the AirWatch-signed CSR to the Apple Push Certificate Portal.
3. Download the Apple-signed certificate (.pem) from the Apple Push Certificate Portal.
   Note: To perform this task, ensure that your Workspace ONE Admin Account has access to the highest Workspace ONE Organization Group. The best practice is to complete the process at the Customer Organization Group level. If your Admin Account does not have access to the highest Organization Group, you may not be able to access the necessary settings.

Download the AirWatch-Signed CSR from the AirWatch Admin Console.

1. Go to Groups & Settings > All Settings > Devices & Users > Apple > APNs For MDM and then select Generate New Certificate.
   
2. Provide the certificate request (step 1) to Apple to process and obtain your certificate, and then upload it into the Workspace ONE console.
   Click MDM_APNsRequest.plist to download the request. If you already have an Apple Id select Go to Apple, and if you do not select Click here and following directions to create one.
   
3. Sign into the Apple Push Certificates Portal website using a valid Apple ID and password. If you have two-factor authentication enable, verify your identity by entering your Verification Code:
   If the Go To Apple button fails to direct you to the portal, open a new tab and go to: https://identity.apple.com/pushcert/
   
   Note: An Apple Developer Account is not required for sign-in. While any valid Apple ID works, we recommend you create a separate Apple ID linked to your corporate email account for long-term management.
4. Click Create a Certificate.
   
5. Select the "I have read and agree to these terms and conditions" checkbox and click Accept.
   
6. Click Choose File and go to the AirWatch-signed CSR downloaded in Step 2. Find and select the certificate that you downloaded from Apple’s portal named: MDM_APNsRequest.plist
   
7. Click Upload (A new certificate for Workspace ONE MDM displays.)
   
8. Click Download and save the Apple-signed certificate to an accessible location.
   Note: The document must be in .pem file format.

1. Return to the Workspace ONE Admin Console and click Next.
   
2. Upload the Apple-signed certificate to Workspace ONE that was recently downloaded (.pem file). Enter the Apple ID used to sign into the Apple Push Certificates Portal website previously.
   
3. Click Save.
4. This is a restricted action, so you must enter you security PIN.
   
5. Verify details on the APNs For MDM page.
   Note: When generating and renewing at a top-level Organization Group, set child groups to inherit or override settings.
6. Click Save and then x in the upper right corner, and you have completed the task.