- Jamf Nation Community
- Products
- Jamf Pro
- Renewed APNS with a new certifcate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 01:38 AM
Hi there,
So when jamf notified us for APNS renewal, Instead of using the apple id assigned to renew the current certificate on the one on APNS. We have accidentally used a different apple ip and created a new certificate in APNS causing jamf to produce a new certificate on Jamf with a new topic. This has caused the managed laptops and phones enrolled on the previous certificate to lose the functionality to get any remote commands from jamf. The laptops still checking in and working fine, but the remote commands functonality has been lost. We have found the original apple id which was used to renew the certificate now.
My question is if we renew mdm again on jamf with the certificate that was originally used in apns, will it make those devices receive the remote commands again or will it break the entire devices to be unmanaged?
Hope this makes sense, any recommendation will be greatly appreciated.
Solved! Go to Solution.
4 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 05:09 AM - edited 06-15-2023 05:10 AM
@sanjaymani In theory if you install the renewed version of the original APNS certificate it will restore the ability to send management commands to the machines originally enrolled with the old certificate. You will however have a problem with any machines enrolled with the certificate generated with the wrong AppleID and they'll need to be re-enrolled, but hopefully that would be a much smaller group of machines.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 07:23 AM
We almost had a similar situation when one of my Admins tried to renew the APNS a year or two ago, despite having the Apple ID in the APNS settings page. Thats when I found out that the "Apple ID" field on the APNS settings page is not restricted to an email address; instead we put the url to our internal support document there, and I make sure that anyone with admin access to Jamf knows that internal docs should be review prior to making any changes to Jamf Pro settings and that proper change request protocol be followed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 11:19 AM
I had this happen to me, and I can confirm that in general if you renew the proper APNS cert that used the original Apple ID and install that, the Macs should start communicating again over MDM. It was admittedly a harrowing issue as we have many clients that are remote, as in far away countries and the prospect of having to reset these devices was concerning to say the least. Fortunately once I fixed the issue by installing the proper certificate, communication picked up again.
As @sdagley noted though, be sure you aren't re-enrolling or enrolling any new Macs before you fix this, or those will need to enrolled again after you put the correct APNS cert in place.
Good luck!
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2023 01:38 PM
You will find out that you will want to run those remote commands. You may need to remotely lock or erase a system. I sympathize with you completely but you'll be better off in the long run using the original certificate. You can transfer the certificate to a new Apple ID so it can continue to be maintained. You do this by calling Apple's enterprise support. 866-752-7753
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 05:09 AM - edited 06-15-2023 05:10 AM
@sanjaymani In theory if you install the renewed version of the original APNS certificate it will restore the ability to send management commands to the machines originally enrolled with the old certificate. You will however have a problem with any machines enrolled with the certificate generated with the wrong AppleID and they'll need to be re-enrolled, but hopefully that would be a much smaller group of machines.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 07:03 AM
I concur on this. I almost made the same mistake a few months ago but stopped when Jamf Pro showed me the warning about the mismatched topics. Someone didn't document the Apple ID in the APNS settings. My advice to you after you get this straightened out is that you use the field provided in the settings to document the correct Apple ID so this won't happen to you again. In my case, I was helping to manage hundreds of Jamf Pro servers, so it was inevitable that who ever worked on the renewal the year before didn't do their job properly and document the Apple ID🤬
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 07:23 AM
We almost had a similar situation when one of my Admins tried to renew the APNS a year or two ago, despite having the Apple ID in the APNS settings page. Thats when I found out that the "Apple ID" field on the APNS settings page is not restricted to an email address; instead we put the url to our internal support document there, and I make sure that anyone with admin access to Jamf knows that internal docs should be review prior to making any changes to Jamf Pro settings and that proper change request protocol be followed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2023 11:19 AM
I had this happen to me, and I can confirm that in general if you renew the proper APNS cert that used the original Apple ID and install that, the Macs should start communicating again over MDM. It was admittedly a harrowing issue as we have many clients that are remote, as in far away countries and the prospect of having to reset these devices was concerning to say the least. Fortunately once I fixed the issue by installing the proper certificate, communication picked up again.
As @sdagley noted though, be sure you aren't re-enrolling or enrolling any new Macs before you fix this, or those will need to enrolled again after you put the correct APNS cert in place.
Good luck!
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-19-2023 06:30 AM
Thank you guys, seems this is such a headache and yes, someone didn't update the apple id correctly and i may carry on with using it with the apple id currently set up. The only functionality thats lost is the remote commands and i will try to automate this with a policy/configuration profiles.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-20-2023 01:38 PM
You will find out that you will want to run those remote commands. You may need to remotely lock or erase a system. I sympathize with you completely but you'll be better off in the long run using the original certificate. You can transfer the certificate to a new Apple ID so it can continue to be maintained. You do this by calling Apple's enterprise support. 866-752-7753
