APNS Certificate Revoked - iOS - Oh Poop

ben_hertenstein
Contributor

APNS certificate was up for renewal and so I renewed, but I renewed the wrong certificate and then revoked the proper one (face palm). This means any iOS device I needs to re-enroll, simple solution, except...one of my restrictions is that the option to erase all content and settings is disabled (face palm again). so I can't use that option. I am running out of ideas and feel like I have a bunch of bricks that work as iPads but have no manageability to them. Any thoughts or suggestions?

On the flipside, I have the issue with OSx side figured out for the APNS.

1 ACCEPTED SOLUTION

Lucasw
New Contributor III

you could use apple configurator 2 and restore them to factory default, then you could enroll them? Not the best if you have a lot of iPads...

View solution in original post

7 REPLIES 7

ben_hertenstein
Contributor

Would User-Initiated Enrollment for Mobile Devices take care of the issue?

Lucasw
New Contributor III

you could use apple configurator 2 and restore them to factory default, then you could enroll them? Not the best if you have a lot of iPads...

View solution in original post

ben_hertenstein
Contributor

Well, the User-Initated Enrollment didn't fly. When installing the MDM portion an error occurs saying "Profile Installation Failed - A profile containing an MDM payload must be removable." Next up, give Apple Configurator a shot to at least see if I can use that as a last resort. Not a ton of iPads, but 167 is plenty enough.

jchurch
Contributor II

do you make regular backups of the jss? try to restore a backup from before you pooched the cert?

maybe, depending your your backup method, restore to a new machine just to test first. if it works roll back your live environment.

you will loose some inventory data between your restore point in now but it might get you running again

ben_hertenstein
Contributor

Unfortunately, I do not. (Slap on wrist) Would have been a good solution.

davidacland
Honored Contributor II
Honored Contributor II

I'd probably be going down the Apple Configurator route as well. Unless the devices are due to be replaced soon?

ben_hertenstein
Contributor

Used configurator on JSS server that I used to set them all up with, wiped them out, the used DEP to add them back in (also while removing restriction on erase all content and settings on the DEP enrolled devices). Especially since DEP helps ensure the device is tied to my MDM.