In this post I will cover:
- Why Microsoft Intune uses an Apple Push Notification Certificate
- Key points of APN certificate management in Intune
- Checking if the APN certificate is expired
- How to Renew an APN certificate in Microsoft Intune
Note: This post assumes that you already have Intune configured with an Apple Push Notification certificate and are managing Apple devices via Intune MDM.
What is an APN certificate used for?
An Apple Push Notification certificate is issued by Apple and is used by a Mobile Device Management system to authenticate itself to the Apple devices that it manages. In the case of Microsoft Intune, it sends the APN certificate to the Apple device and the Apple device, such as an iPhone, validates the certificate before accepting management messages from Intune.
Key points of APNC management in Intune
- If the APN certificate expires and the grace period of 30 days passes then ALL of the Apple devices managed by Intune MDM will stop accepting management tasks from Intune. If this happens then all devices will need to be re-enrolled in Intune. This is a difficult task for a large organisation!
- When an APN certificate is due to expire you must always renew the certificate and not create a new one. Using a brand new certificate will break the trust between your existing Apple devices and Intune. If you accidentally do this, you can revisit the Apple portal and renew the expiring certificate. Loading that in to Intune should restore service for the existing Apple devices.
- Your APN certificate is tied to the Apple ID that was used to create it. If you do not have access to this Apple ID (such as it was created in the name of a former employee) then start taking steps now to gain access! One workaround is to contact Apple Developer Program Support with the certificate details and they will be able to migrate the certificate to another Apple ID.
- Once a renewed APN certificate is loaded in to Intune, all Apple devices will seamlessly transition to accepting the new certificate. There are no device side changes required
Where to find your APN certificate expiry date
It is extremely important to be aware of when your APN certificate is due to expire for the reasons mentioned above.
- In the Endpoint Manager portal https://aka.ms/dmac > Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate
- On this page you will see which Apple ID the created the certificate as well as the expiry date.
If your APN certificate has already expired then you will see the following alert on the Home > Connector status tab of the Endpoint Manager portal as seen below:
How to renew an APN certificate in Microsoft Intune
- In the Endpoint Manager portal https://aka.ms/dmac > Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate.
- The lower section of the page allows you to renew your certificate. Select Download your CSR.
- A file called IntuneCSR.csr will be downloaded.
- Select Create your MDM push Certificate > Login to the Apple portal that opens with the same Apple ID as was used to create the soon to expire APN certificate.
- Select Renew next to the certificate. DO NOT select Create new certificate!
- Select Choose file > upload the IntuneCSR.csr file > select Upload
- Select Download to download the new certificate.
- A file called MDM_Microsoft_Corporation_Certificate.pem will be downloaded.
- Back on the Intune portal, enter the Apple ID used to create the Apple certificate > Upload the .pem file.
- Once Intune validates the certificate it will show as Active with a green tick at the top of the page. There are no devices side actions required.
The Apple Push Notification certificate enhances the security of Intune MDM. Maintaining it is often overlooked because it is easy to set up and normally created as part wider project to migrate to Intune with many moving parts.
It is essential however to stay ahead of expiry and failing to do so can have a huge impact on device management. It should be treated like any other certificate maintenance plan. Key tasks are:
- The Apple ID credentials are recorded and stored securely.
- The expiration date is entered in to a calendar that can alert IT staff.
- The steps to renew the certificate are recorded in a knowledgebase.