In this guide, I will show you how to renew Apple MDM push certificate in Intune. If your Apple Push Notification Service certificate is about to expire, you can use the steps outlined in this article to renew it.
An Apple MDM Push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune. The instructions for creating an Apple push certificate are already covered if you followed my tutorial on enrolling macOS in Intune.
The Apple MDM push certificate expires 365 days after you create it and must be renewed manually in Microsoft Intune. If you don’t renew this certificate, all the macOS and iOS/iPadOS-enrolled devices in Intune will require re-enrollment.
What is an Apple Push Notification Service certificate?
The Apple Push Notification Service (APNs) certificate is a notification service that allows Apple devices to be enrolled and managed via MDM platforms like Microsoft Intune.
A mobile device management (MDM) system such as Microsoft Intune authenticates itself to the Apple devices it manages using an Apple Push Notification certificate that Apple issues.
What happens when the Apple MDM push certificate expires?
When an Apple MDM push certificate expires, you cannot manage enrolled Apple devices in Microsoft Intune. You cannot run any remote actions on Apple devices from the Intune admin center. In addition, you cannot use the Company Portal app or Apple bulk enrollment methods for enrolling new Apple devices in Intune.
The certificates must be manually renewed and once you do that, all the Apple devices will accept this new certificate. I would recommend renewing an expired MDM certificate rather than creating a new one for your Apple devices.
Apple MDM Certificate Expiration Email
When an Apple MDM certificate is about to expire, you get a reminder email 30 days before the certificate expires. This email is significant because there is no way to determine when your certificates expire other than by manually logging in to the Apple Push Certificates portal.
The APN certificate that is created to manage Apple devices in Intune is tied to the Apple ID that was used to create it. Microsoft advises using a business email address as your Apple ID and always avoiding using a personal Apple ID.
Apple recently sent me the following renewal email, informing me that the certificate for the Apple Push Notifications Service was about to expire in 30 days.
Dear Prajwal Desai,
The following Apple Push Notification Service certificate, created for AppleID (email account) will expire on May 15, 2024. Revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.
Mobile Device Management - null
Please contact your vendor to generate a new request (a signed CSR), then visit https://identity.apple.com/pushcert to renew your Apple Push Notification Service certificate.
Thank You,
Apple Push Notification Service
After I received the above email, I logged in to the Intune admin center to check if the certificate was actually expiring. Indeed, Apple was right; the certificate was about to expire in less than 30 days. So I had to renew it quickly.
Steps to renew Apple MDM Push Certificate in Intune
Let’s go through the steps for renewing the Apple MDM push certificate for Microsoft Intune. Make sure you renew the MDM push certificate with the same Apple account you used to create it.
Step 1: Sign in to the Microsoft Intune admin center. Go to Devices > Enrollment and select the Apple tab. Select the Apple MDM Push Certificate.
Step 2: On the MDM Push Certificate window, select Download your CSR to download and save the IntuneCSR.csr request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
Step 3: Visit the Apple Push Certificates Portal. Sign in with your Apple ID that was used to create the MDM push certificate. In the Apple portal, find the certificate you want to renew and select Renew.
Step 4: Select Choose File. Choose the new CSR file you downloaded and click on Upload.
Step 5: On the confirmation screen, the following message appears: “You have successfully created a new push certificate.” Now select Download. The browser downloads MDM_ Microsoft Corporation_Certificate.pem.
Step 6: Return to the Intune admin center and select Configure MDM Push Certificate. Upload your certificate file, MDM_ Microsoft Corporation_Certificate.pem to Intune.
Step 7: After performing the above steps, the Apple MDM push certificate status appears active in both the admin center and the Apple Push Certificates portal.
In the screenshot below, we see the Intune admin center showing the new Apple MDM Push Certificate expiration date. The days until expiration are now set to 365 days. For the next year, I can manage Apple devices in Intune without worrying about the certificate expiring.
Congratulations! By following the above instructions, I hope you were able to successfully renew your Apple MDM Certificate for Intune. Please leave a comment below if you have any questions about renewing your certificate.
Read Next
- How to Install Fonts on macOS using Intune
- Remove Device from Company Portal for macOS
- How to Run Shell Scripts on macOS devices in Intune
- Manage macOS Software Updates using Intune
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.