APNs Topic ID Mismatch: Automating Re-enrollment for Active MDM Profiles

So your client renewed and pushed or just renewed?  If just the latter and the timeframe is right, you may be able to get on the horn with Apple and have them transfer ownership of the existing cert and then do another renewal and have that push without having to reenroll.  

It annoys me when folks ignore warnings of “hey this is a bad thing to do and your day will get infinitely worse...nay your near future will be terrible” and they click “Sure!”.  Then it’s up to someone else to figure out.

I’d say given the circumstances, give Apple Support a shout.  They may be able to assist.

Whatever you do, do NOT commit to using the new certificate with the mismatched topic.  If the old certificate expires, it’s fine.  Your devices will check in again after you replace it.  

Call Apple: https://support.apple.com/en-us/118629

Here’s an article along the lines of what I said:

https://support.jamf.com/en/articles/11024785-how-to-regain-communication-with-devices-when-a-different-apns-cert-is-uploaded-into-jamf-now

This.  Just all the warnings. lol

Whether or not Apple can/will help seems to vary dramatically, depending on who you get on the other end of the phone call and how long it’s been since the cert was renewed. Sometimes they’ll jump through hoops to help you solve it, and other times it’s, “too bad, so sad. Hu-bubye.”

Here’s the simple extension Attribute I got from Jamf that collects Topic IDs. You can use that to see how widespread your exposure is, if necessary.

#!/bin/sh

echo "<result>$(/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/com.apple.mgmt.External/{ print $NF }' | sed 's/[";]//g')</result>"