In this guide, I will show you how to renew Apple MDM push certificate in Intune. If your Apple Push Notification Service certificate is about to expire, you can use the steps outlined in this article to renew it.

An Apple MDM Push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune. The instructions for creating an Apple push certificate are already covered if you followed my tutorial on enrolling macOS in Intune.

The Apple MDM push certificate expires 365 days after you create it and must be renewed manually in Microsoft Intune. If you don’t renew this certificate, all the macOS and iOS/iPadOS-enrolled devices in Intune will require re-enrollment.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

What is an Apple Push Notification Service certificate?

The Apple Push Notification Service (APNs) certificate is a notification service that allows Apple devices to be enrolled and managed via MDM platforms like Microsoft Intune.

A mobile device management (MDM) system such as Microsoft Intune authenticates itself to the Apple devices it manages using an Apple Push Notification certificate that Apple issues.

What happens when the Apple MDM push certificate expires?

When an Apple MDM push certificate expires, you cannot manage enrolled Apple devices in Microsoft Intune. You cannot run any remote actions on Apple devices from the Intune admin center. In addition, you cannot use the Company Portal app or Apple bulk enrollment methods for enrolling new Apple devices in Intune.

The certificates must be manually renewed and once you do that, all the Apple devices will accept this new certificate. I would recommend renewing an expired MDM certificate rather than creating a new one for your Apple devices.

Apple MDM Certificate Expiration Email

When an Apple MDM certificate is about to expire, you get a reminder email 30 days before the certificate expires. This email is significant because there is no way to determine when your certificates expire other than by manually logging in to the Apple Push Certificates portal.

The APN certificate that is created to manage Apple devices in Intune is tied to the Apple ID that was used to create it. Microsoft advises using a business email address as your Apple ID and always avoiding using a personal Apple ID.

Apple recently sent me the following renewal email, informing me that the certificate for the Apple Push Notifications Service was about to expire in 30 days.

Dear Prajwal Desai,

The following Apple Push Notification Service certificate, created for AppleID (email account) will expire on May 15, 2024. Revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.

Mobile Device Management - null

Please contact your vendor to generate a new request (a signed CSR), then visit https://identity.apple.com/pushcert to renew your Apple Push Notification Service certificate.


Thank You,
Apple Push Notification Service
Apple MDM certificate expiration email
Apple MDM certificate expiration email

After I received the above email, I logged in to the Intune admin center to check if the certificate was actually expiring. Indeed, Apple was right; the certificate was about to expire in less than 30 days. So I had to renew it quickly.

Find your APN certificate expiry date
Find your APN certificate expiration date

Steps to renew Apple MDM Push Certificate in Intune

Let’s go through the steps for renewing the Apple MDM push certificate for Microsoft Intune. Make sure you renew the MDM push certificate with the same Apple account you used to create it.

Step 1: Sign in to the Microsoft Intune admin center. Go to Devices > Enrollment and select the Apple tab. Select the Apple MDM Push Certificate.

Renew Apple MDM Push Certificate in Intune
Renew Apple MDM Push Certificate in Intune

Step 2: On the MDM Push Certificate window, select Download your CSR to download and save the IntuneCSR.csr request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.

Renew Apple MDM Push Certificate in Intune
Renew Apple MDM Push Certificate in Intune

Step 3: Visit the Apple Push Certificates Portal. Sign in with your Apple ID that was used to create the MDM push certificate. In the Apple portal, find the certificate you want to renew and select Renew.

Renew Apple MDM Certificate in Intune
Renew Apple MDM Certificate in Intune

Step 4: Select Choose File. Choose the new CSR file you downloaded and click on Upload.

Renew Apple Push Notification Service certificate
Renew Apple Push Notification Service certificate

Step 5: On the confirmation screen, the following message appears: “You have successfully created a new push certificate.” Now select Download. The browser downloads MDM_ Microsoft Corporation_Certificate.pem.

Download the renewed Apple MDM Push Certificate
Download the renewed Apple MDM Push Certificate

Step 6: Return to the Intune admin center and select Configure MDM Push Certificate. Upload your certificate file, MDM_ Microsoft Corporation_Certificate.pem to Intune.

Upload the renewed Apple MDM Push Certificate in Intune
Upload the renewed Apple MDM Push Certificate in Intune

Step 7: After performing the above steps, the Apple MDM push certificate status appears active in both the admin center and the Apple Push Certificates portal.

In the screenshot below, we see the Intune admin center showing the new Apple MDM Push Certificate expiration date. The days until expiration are now set to 365 days. For the next year, I can manage Apple devices in Intune without worrying about the certificate expiring.

Verify Apple MDM Push Certificate Expiration Date
Verify Apple MDM Push Certificate Expiration Date

Congratulations! By following the above instructions, I hope you were able to successfully renew your Apple MDM Certificate for Intune. Please leave a comment below if you have any questions about renewing your certificate.

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.