- Last updated
- Save as PDF
In order for Cisco Meraki Systems Manager to communicate with an enrolled iOS or macOS device, Apple's Push Notification Service (APNS) first sends the device a silent notification. This notification prompts the device to check-in with the Meraki Dashboard, and receive any pending commands. In order for Apple's Push Notification server to recognize commands from Systems Manager, a certificate must be installed onall enrolled devices. This certificate is created on Apple's push certificate website, uploaded into Systems Manager, and then silently installed on iOSand macOS devices during Systems Manager enrollment.
Apple requires this certificate be renewed every 365 days. The process for renewing the Apple Push Certificate is essentially the same as creating a new one. The critical difference, however, is that the existing certificate must be renewed, and re-uploaded into Dashboard. If a new certificate is created, on the other hand, currently enrolled iOSand macOS devices will appear offline and beunable to receive MDM commands unless they are re-enrolled.
Note: Due to incompatibilities with Internet Explorer, obtaining an Apple push certificate should be performed with an alternate browser, preferably Chrome or Safari.
Please be sure to follow these instructions carefully, as mistakescan cause the original certificate to be lost, requiring manual re-enrollment of every managed device. Prior to the start of this process, it isstronglyrecommended to download the existing .pem certificate fromidentity.apple.comand from Dashboard inOrganization > MDM as a backup.
Creating an Apple MDM Push Certificate
To create and upload an Apple push certificate to manage your iOS, iPadOS,macOS, and tvOSdevices through Systems Manager, complete the 5 steps found on the Organization > MDM > Apple MDM page, also shown below.
Note: Best practice is to use an Apple ID in the Apple Push Certificate Portal that belongs to your organization rather than a personal account, if possible. Losing access to the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices.
A valid certificate generated from theApplePush Certificate Portalis named MDM_ Meraki Inc._Certificate.pem. If the push certificate you create is listed under a different name, the certificate will not be accepted when uploaded into Dashboard (re-naming the file will not resolve the issue).
The most common cause for this error is when the process is completed using Internet Explorer. There are a few known compatibility issues with Internet Explorer, so it is recommended you obtain the certificate using the latest version of Google Chrome or Mozilla Firefox.
After 365 days, theApple Push Notification service certificate will expireso be sure torenew the Apple Push certificateaccordingly. In order to keep the previously enrolled devices remaining enrolled, it is important to renew this same exact certificate.
Renewing an Apple MDM Push Certificate
- Download Meraki CSR file from Organization > MDMpage.
- Log in to Apple's Push Notification Portal with thesame Apple ID used to create the current push certificate.
Note: If the Apple ID is not known, review theApple ID is unknown section below. Not using theoriginal Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices. - Find the expiring certificate, and select Renew(do notrevoke ordownload theexpiring certificate, do notcreate a new certificate).
- Upload CSR downloaded as per Step #1.
- Download the renewed certificate from Apple, and upload into Dashboard.
- Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).
Detailed Instructions
- In Dashboard, navigate to Organization > MDM.
- Under Apple MDMclick Update/renew certificate.
- Download the Meraki signed certificate signing request (CSR) file, labeled as Meraki_Apple_CSR.csr.
- In another browser window or tab, go to the Apple Push Certificates Portal.
- Login with the Apple ID that was originally used to create the push certificate. The Apple ID must be the same.
Note: If the Apple ID is not known, review theIf the push certificate Apple ID is unknownsection below. - Find the certificate that matches the expiration date listed in Dashboard. If uncertain, refer to the section below. Then click Renew.
Note: Do notRevoke the certificate or Create a Certificate. Both of these options will result in all Apple devices requiring re-enrollment.
- Click Choose Fileand browse to the CSR file downloaded earlier. The click Upload.
Note: Make sure to select the CSR file that was downloaded in Step 3 above, as multiple CSR files can have similar names.
- The next page confirms that the certificate was renewed successfully and includes the new expiration date.
- Click Downloadto get the new certificate.
- Back in Dashboard, in Step 3, enter the Apple ID that was used to renew the certificate. This makes it easier to track which Apple ID was used, and should be reused for the next renewal.
- Click on Choose Filein Step 4, and browse to the certificate that was just downloaded. This file should begin with "MDM_Meraki".
Note:Make sure this is the certificate that was just downloaded, as multiple certificates can have similar names.
- Once the certificate is uploaded, click Test Certificate.
- This should confirm that the certificate is valid and functional.
Troubleshooting Apple MDM Push Certificate Renewal
If you haverenewedyour Apple Push Notification Service certificate and Dashboard is reporting that your devices are offline andout of compliance, this means that something went wrong with the renewal process and a new certificate was generated rather than an actual renewal. To troubleshoot, we'll walkthrough recovering the APNS communications chain and re-establishing contact with these devices through APNS.
I Created a New Cert Instead of Renewing the Existing One
If you unintentionally created a new cert instead of renewing the existing certificate, try using the following steps to resolve this issue.
Revert to the organization previous APNS certificate
With the "Revert Certificate" button you can revert your Organization back to the previously uploaded APNS certificate.
Identifying the Correct APNS Certificate
APNS certificates are generated uniquely, but all certs for a given certificate chain will share a common Subject which includes the Push Topic (generally acommon identifier for the set of devices this push request can communicate with). Dashboard presents the current push topic underOrganization > MDM > Apple MDM:
Before renewing, you can use this value to ensure you're renewing the appropriate certificate by checking this Topic against the values listed in Apple's Identity Portal:
Note: If you don't have access to the Apple Push Portal, but do have access to push certificates, you may run a command similar to the following to identify the correct certificate for renewal (or for providing to Apple to find the correct account to renew from):
user$ openssl x509 -in /path/to/cert.pem -noout -text | grep 'Subject:'
Which should result in:
Subject: UID=com.apple.mgmt.External.f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, CN=APSP:f94b8e03-7cbd-4dcc-b1fb-1985dbc720ab, C=US
Incorrect Certificate was Used/Renewed
Following an APNSCertificaterenewal, if you see an error message indicating an APNS mismatch underSystems Manager > Manage > Add Devices> iOSormacOS,you may have renewed with the wrong certificate. If this is the case, there are two simple recovery options.
Upload the Old APNS Certificate to Dashboard
If you have access to the previous APNScertificate, you can put it back into Dashboard and reestablish communication using the following steps:
- Navigate toOrganization> MDM.
- Click theUpdate/Renewbutton.
- Skip steps oneand two,jumping immediatelyto step 3. Fillin the Apple ID used to generate the old APNScertificate.
- Upload the old APNS certificate to dashboard.
- Save Changes.
This will reestablish communication with your enrolled devices while you determine what went wrong with the previous renewal.
Renew the Correct APNS Certificate
If you don't have access to a copy of the old APNS Certificate,Meraki Supportcan provide you with a copy of the old APNS Topic which you can use to identify the correct APNScertificate for renewal by using the information above. You can then follow the normal process for renewing an APNScertificate.
I Forgot Which Apple ID was Originally Used
It is only possible to renew the push certificate using the same Apple ID that was originally used. If this Apple ID is unknown or cannot be found, a new certificate will need to be generated. This can be done by clickingUpdate/renew certificateand following the steps presented to generate a new certificate. When this is done, all previously enrolled Apple devices will need to be re-enrolled. To avoid this, be sure to track the Apple ID used to sign the cert, and contact Apple Support for assistance if necessary.
Finding the Original Apple ID
If there are multiple accounts that are suspected of being used to generate the certificate, the following items can be checked to confirm whether a certificate is the correct one:
- Navigate to Organization > MDM > Apple MDM in Dashboard.
- Take note of the Apple push topic(UID in the screenshot below) and Expires ondate (Expiration Date in the screenshot below).
- Navigate to the Apple Push Certificate Portal.
- If any Certificates for Third-Party Servers are listed, look for one with a Vendorof "Meraki Inc.".
- Verify that the Expiration Datematches what was displayed in Dashboard.
.
- Click the info icon (i)to pull up the detailed information about the certificate.
- Verify that the UIDdisplayed matches the Apple push topicfrom Dashboard exactly.
- If the Expiration Date and UIDmatch Dashboard exactly, then the certificate has been correctly identified. Follow the instructions in the first half of this article to renew the existing certificate.
Note: To reduce thelikelihoodof thisoccurringagain, make sure the Apple ID used is entered in Dashboard following the renewal. We recommend using a generic account that is not tied to a specific user, or a distribution list, such as mdm@example.com.
.
Recovering an orphaned APNsPush Cert/Topic
If you cannot access the account associated with your Organization's Push Certificate, you will need to contact Apple Support for assistance utilizing the instructions found here: https://support.apple.com/en-gb/118629.
When doing so, be prepared to provide as much information about the current certificate as you can, thisincludes, but is not limited to:
- Government-issued photo ID
- Employment verification document from your organisation or employer
- Employee badge or business card
- Copy of the APNscertificate / APNs serial number
The currently used push certificate may be downloaded from Dashboard by Admins with Organization Write permissions on theOrganization > MDMpage via theDownload Certificatebutton in theApple MDMsubheading. The serial of the certificate may then be found via the following openssl command:
openssl x509 -in [/path/to/cert.pem] -noout -text | grep 'Serial'
Please reference Apple's documentation for more information on how the Apple Push Notification Service works.
