In order for Intune to manage iOS and Mac devices, an MDM push certificate is required. The certificate must be installed in your organization's Intune before your users can enrol devices. Like all certificates, the MDM push certificate that Apple issues has an expiry date. Eventually, the certificate will expire, and needs to be renewed.
Before we look at the renewal process, this is a good opportunity to go over the recommended practice for provisioning MDM push certificates from Apple to use with Intune, or with Office 365 MDM. Acquiring the MDM push certificate requires an Apple ID. The Apple ID that you use to log in to the Apple Push Certificates Portal should use an email address that is controlled by your organization. You should not use a personal Apple ID to provision the certificate. If the Apple ID that owns the certificate is lost, for example if that individual leaves the organization, you will need to replace the certificate with a new one. Replacing the certificate will require all of your Apple devices to be re-enrolled in Intune, which is obviously a situation you should avoid.
It's also worth flagging that Microsoft doesn't do much to alert you when the certificate is nearing expiration. Intune is managed through the Azure portal now, but there's no obvious tiles or widgets in a gallery search that you can add to your Azure dashboard to keep an eye on the MDM push certificate status.
Unless you drill down to the device enrolment section of the Azure Intune portal, you might not be aware of an expiring certificate.
However, Apple will notify you by email that the certificate is expiring. The first email alert is sent to the Apple ID 30 days prior to expiry, and another is sent 10 days prior to expiry. This is another reason to control and monitor the email address used as for the Apple ID associated with your MDM push certificate.
Moving on the to the actual renewal process, we can initiate that from the Apple Push Certificates Portal. Click on the Renew button for the expiring certificate.
The Apple portal will ask you to upload a certificate signing request (CSR). The CSR is downloaded from the Intune portal.
Upload the CSR from Intune to the Apple portal, which will then provide you with the new certificate to download.
Return to the Intune portal and upload the certificate. You will also need to provide the email address of the Apple ID that was used to acquire the certificate.
After the certificate is successfully renewed, the warning in the Intune portal will be cleared. If you were surprised by the upcoming certificate expiry, then this is a good time to pin the certificate status to your dashboard.
You can also consider:
- Scheduling a ticket in your support system to appear 30 days or so from the next expiry date.
- Ensuring the email address used for the Apple ID is monitored, and that the people monitoring it have a documented procedure for how to respond to the expiry warning emails.
Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.
Great article, very helpful!