Skip to main content

What happens if the push notification certificate expires ?

Apple push notification (APN) certificates have expiration dates. To maintain MDM management with the Macs and iOS devices in your organization, you must renew your APN certificates periodically.



If your APN certificate expires, your iOS devices are no longer managed by Casper. They must be re-enrolled to restore MDM management to that iOS device.



Your Macs will also lose MDM management, but it should be possible to use the Casper agent to restore MDM management after a new APN certificate is uploaded to the Casper server.


Hi @rtrouton,



Whens Macs lose MDM management, is uploading the new certificate sufficient for the JSS to restore management (and re-deploy the config profiles) or is other action required?



Thank you!


They will not fix themselves but you can use the jamf enroll command to reenroll them. Maybe you can run this on multiple computers at once using Apple Remote Desktop.



Usage:   jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]


-prompt Prompts for JSS and SSH credentials.

-invitation Uses an invitation ID for credentials instead of a user name and password.

-noRecon Stops enroll from acquiring inventory.

-noManage Stops enroll from enforcing the management framework.

-noPolicy Stops enroll from checking for enrollment policies.

@adamcodega Thanks Adam. I'm in a bit of a pickle since we are changing Apple IDs (and thus, certificates) for our entire fleet of about 900 Macs. I love ARD but it falls flat with the way our subnets are organized. Any ideas?


Hey friends, if you find yourself in my situation, all that's needed on the OS X side is to run



jamf manage


and the new MDM profiles will come down. Whoo!


@dferrara so your push notification expired and from each computer you simply ran jamf manage ?



I manage a site, the push notification expires soon, not sure what the main administrators are waiting to renew it, just anticipating what to do just in case.


@tcandela



Yeah, it's going to expire in a few months, so we are preparing for it now. I ran it by our account rep and it sounds pretty simple, at least for OS X devices.


the push notifications expired here but since have been renewed. Now my enrolled computers say



MDM capability: NO



and running jamf manage, jam enroll etc.. does not change it to 'YES'


what exactly is lost if MDM Capability = NO ?



I see that policies still execute.
I see that in an enrolled computers 'Management' tab the payload to 'wipe' 'blank push' etc.. is missing


@tcandela Are your profiles getting installed?



Rich T. has some great resources on this topic. I haven't read them fully yet but it looked interesting.



http://derflounder.wordpress.com/2013/08/31/automatically-fixing-casper-mac-mdm-enrollment/



https://derflounder.wordpress.com/2014/06/15/automatically-fixing-mdm-certificate-enrollment-with-casper-9-x/


for newly enrolled computers I do not see 'profiles' in the payload.



all computers that have checked in since the certificate expired have MDM Capability: NO


@tcandela Sounds right.



Your full JSS Admin needs to renew the old APNS... Although as it's now expired they might have to generate a new one & then all clients will need to be re-enrolled.


the certificate has been renewed. subsequent enrollments are still MDM=NO
just to verify does 'Enable Push Notifications' need to be Checked ???



under the following section --- Computer Management --> Security


@tcandela yes, I believe you need to have Push Notifications enabled in order for computers to be MDM capable.


I mentioned to the admins here managing the Full JSS that they probably need to also 'Enable Push Notifications' under the following section --- Computer Management --> Security



this must of 'unchecked' itself after the certificate expired.



they 'checked' the box yesterday, and after computers started checking in, the MDM started changing to YES.



no need to re-enroll


My push notification expired on my JSS - and I have 4500 ipads on this. Is there a way to mass enroll them once I renew my certificate?