Skip to main content

I've got a school that my company have recently taken over ICT support for. When this school was handed over, the APNS certificate in Jamf Pro was already expired. The account settings in the Jamf Pro instance are set in my regions date format (DD/MM/YYYY) and the APNS cert expired on 11/01/2022 (or 11th of January 2022).

 

Unfortunately the company we took over from has not provided the credentials of the Apple ID that was used to create the APNS certificate so I can't log in at https://identity.apple.com/ to check things out there. 

 

My understanding is if the APNS cert is not renewed before the date and expires, the only way to get the devices to communicate with Jamf Pro again is to create a new APNS certificate, import the new certificate into Jamf Pro and then wipe/re-enroll all devices back into Jamf Pro. The devices will then be tied to the new APNS cert.

 

I can see that even though the APNS cert is 3+ months expired, devices are still updating their inventory and reporting back to Jamf Pro. Is this normal behaviour with an expired APNS certificate?

Thanks!

 

EDIT: I've just completed some testing over WiFi and plugged into our deployment Mac Mini. When devices are on a regular WiFi connection they're not checking into Jamf Pro, but if they're plugged into our Mac Mini (running Apple Configurator and acting as a caching server), they can successfully check into Jamf Pro, receive commands etc. It seems like the devices are bypassing the APNS certificate when they're plugged into our deployment server.

 

 

This is expected. The APNS certificate is only needed for MDM commands and Push Notifications. The Jamf binaries (recon, policy, etc) have no dependency on the APNS cert.

When you renew the cert you must use the original Apple ID that was used for the expired cert. Using a new Apple ID and creating a new cert instead of updating the existing will require you to re-enroll every device. If the school has a support agreement with Apple then they should be able to open a case, supply all the certificate info such as serial number, etc and then Apple should be able to provide the Apple ID originally used. If there is still no way to use that Apple ID if you can't get/reset the password, etc then Apple may be able to move the existing certificate to a different Apple ID that can then be used to renew it.

This is expected. The APNS certificate is only needed for MDM commands and Push Notifications. The Jamf binaries (recon, policy, etc) have no dependency on the APNS cert.

When you renew the cert you must use the original Apple ID that was used for the expired cert. Using a new Apple ID and creating a new cert instead of updating the existing will require you to re-enroll every device. If the school has a support agreement with Apple then they should be able to open a case, supply all the certificate info such as serial number, etc and then Apple should be able to provide the Apple ID originally used. If there is still no way to use that Apple ID if you can't get/reset the password, etc then Apple may be able to move the existing certificate to a different Apple ID that can then be used to renew it.


Thanks for the reply. Just to note, these are all iPads, so all these commands that are completing successfully with an expired APNS certificate are MDM commands and Push Notifications.

Reply


Terms & ConditionsCookie settings