How-to: Renew Apple Push Notification Certificate in Microsoft Intune

In this post I will cover:

  • Why Microsoft Intune uses an Apple Push Notification Certificate
  • Key points of APN certificate management in Intune
  • Checking if the APN certificate is expired
  • How to Renew an APN certificate in Microsoft Intune

Note: This post assumes that you already have Intune configured with an Apple Push Notification certificate and are managing Apple devices via Intune MDM.

What is an APN certificate used for?

An Apple Push Notification certificate is issued by Apple and is used by a Mobile Device Management system to authenticate itself to the Apple devices that it manages. In the case of Microsoft Intune, it sends the APN certificate to the Apple device and the Apple device, such as an iPhone, validates the certificate before accepting management messages from Intune.

Key points of APNC management in Intune

  1. If the APN certificate expires and the grace period of 30 days passes then ALL of the Apple devices managed by Intune MDM will stop accepting management tasks from Intune. If this happens then all devices will need to be re-enrolled in Intune. This is a difficult task for a large organisation!
  2. When an APN certificate is due to expire you must always renew the certificate and not create a new one. Using a brand new certificate will break the trust between your existing Apple devices and Intune. If you accidentally do this, you can revisit the Apple portal and renew the expiring certificate. Loading that in to Intune should restore service for the existing Apple devices.
  3. Your APN certificate is tied to the Apple ID that was used to create it. If you do not have access to this Apple ID (such as it was created in the name of a former employee) then start taking steps now to gain access! One workaround is to contact Apple Developer Program Support with the certificate details and they will be able to migrate the certificate to another Apple ID.
  4. Once a renewed APN certificate is loaded in to Intune, all Apple devices will seamlessly transition to accepting the new certificate. There are no device side changes required

Where to find your APN certificate expiry date

It is extremely important to be aware of when your APN certificate is due to expire for the reasons mentioned above.

  1. In the Endpoint Manager portal https://aka.ms/dmac > Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate
  2. On this page you will see which Apple ID the created the certificate as well as the expiry date.

If your APN certificate has already expired then you will see the following alert on the Home > Connector status tab of the Endpoint Manager portal as seen below:

How to renew an APN certificate in Microsoft Intune

  1. In the Endpoint Manager portal https://aka.ms/dmac > Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate.
  2. The lower section of the page allows you to renew your certificate. Select Download your CSR.
  3. A file called IntuneCSR.csr will be downloaded.
  1. Select Create your MDM push Certificate > Login to the Apple portal that opens with the same Apple ID as was used to create the soon to expire APN certificate.
  2. Select Renew next to the certificate. DO NOT select Create new certificate!
  1. Select Choose file > upload the IntuneCSR.csr file > select Upload
  1. Select Download to download the new certificate.
  2. A file called MDM_Microsoft_Corporation_Certificate.pem will be downloaded.
  3. Back on the Intune portal, enter the Apple ID used to create the Apple certificate > Upload the .pem file.
  1. Once Intune validates the certificate it will show as Active with a green tick at the top of the page. There are no devices side actions required.

Summary

The Apple Push Notification certificate enhances the security of Intune MDM. Maintaining it is often overlooked because it is easy to set up and normally created as part wider project to migrate to Intune with many moving parts.

It is essential however to stay ahead of expiry and failing to do so can have a huge impact on device management. It should be treated like any other certificate maintenance plan. Key tasks are:

  • The Apple ID credentials are recorded and stored securely.
  • The expiration date is entered in to a calendar that can alert IT staff.
  • The steps to renew the certificate are recorded in a knowledgebase.
Advertisement

Intune Windows 10 Autopilot deployment profile MENU BUG – Don’t be caught out!

Microsoft recently released two hotly anticipated Intune Preview features:

  • Self-Deploying Autopilot – Azure AD Joined
  • User-Driven Autopilot – Hybrid Azure AD Joined

Naturally Microsoft has added logic to the menu selections in the Autopilot Deployment Profiles that greys out incompatible menu options. I have found and reported to Microsoft a bug that allows you to select incompatible options. Doing so causes you Autopilots to fail.

Creating a new policy and selecting Deployment mode: User-Driven Autopilot – gives you two options:

  • Azure AD Join
  • Hybrid Azure AD Joined (Preview)

Selecting Self-Deploying (Preview) locks the ‘Join to Azure AD as’ drop down menu on to Azure AD Joined. This is desired because Hybrid Azure AD Join is not available for Self-Deploying mode (yet).

Now the bug…

  1. Save a policy with the User-Driven – Hybrid Azure AD Joined options selected.
  2. Go back in to the policy and select Properties.
  3. Change the Deployment Mode to “Self-Deploying”.
  4. Note that the ‘Join to Azure AD as’ drop down stays greyed out on the invalid option ‘Hybrid Azure AD Joined’ .

The impact…

This is not just cosmetic. By doing this the Autopilot device will fail on the Enrolment Status Page (ESP) with the error: 0x801c03ed.

Windows 10 AutoPilot Error 80004005

Update 7th Feb 2023 - This post was written for an earlier version of Autopilot. The solution in this post does not apply to any versions of Windows 10 that are currently in support.

During Windows AutoPilot in User Driven mode you may see the following error on the Network tab (after Windows has downloaded the AutoPilot profile but before the reboot). It takes about 10-20 minutes for this error to display.

Something went wrong.
Confirm that you are using the correct sign-in information and that your 
organisation uses this feature. You can try to do this again or contact 
your system administrator with the error code 80004005
36,35,305,312.797363

Check that the device has a clear line of sight to to a Domain Controller. This is a requirement of User-Driven Autopilot.