In order for Intune to manage iOS and Mac devices, an MDM push certificate is required. The certificate must be installed in your organization’s Intune before your users can enrol devices. Like all certificates, the MDM push certificate that Apple issues has an expiry date. Eventually, the certificate will expire, and needs to be renewed.
Before we look at the renewal process, this is a good opportunity to go over the recommended practice for provisioning MDM push certificates from Apple to use with Intune, or with Office 365 MDM. Acquiring the MDM push certificate requires an Apple ID. The Apple ID that you use to log in to the Apple Push Certificates Portal should use an email address that is controlled by your organization. You should not use a personal Apple ID to provision the certificate. If the Apple ID that owns the certificate is lost, for example if that individual leaves the organization, you will need to replace the certificate with a new one. Replacing the certificate will require all of your Apple devices to be re-enrolled in Intune, which is obviously a situation you should avoid.
It’s also worth flagging that Microsoft doesn’t do much to alert you when the certificate is nearing expiration. Intune is managed through the Azure portal now, but there’s no obvious tiles or widgets in a gallery search that you can add to your Azure dashboard to keep an eye on the MDM push certificate status.
Unless you drill down to the device enrolment section of the Azure Intune portal, you might not be aware of an expiring certificate.
However, Apple will notify you by email that the certificate is expiring. The first email alert is sent to the Apple ID 30 days prior to expiry, and another is sent 10 days prior to expiry. This is another reason to control and monitor the email address used as for the Apple ID associated with your MDM push certificate.
Moving on the to the actual renewal process, we can initiate that from the Apple Push Certificates Portal. Click on the Renew button for the expiring certificate.
The Apple portal will ask you to upload a certificate signing request (CSR). The CSR is downloaded from the Intune portal.
Upload the CSR from Intune to the Apple portal, which will then provide you with the new certificate to download.
Return to the Intune portal and upload the certificate. You will also need to provide the email address of the Apple ID that was used to acquire the certificate.
After the certificate is successfully renewed, the warning in the Intune portal will be cleared. If you were surprised by the upcoming certificate expiry, then this is a good time to pin the certificate status to your dashboard.
You can also consider:
- Scheduling a ticket in your support system to appear 30 days or so from the next expiry date.
- Ensuring the email address used for the Apple ID is monitored, and that the people monitoring it have a documented procedure for how to respond to the expiry warning emails.
FYI, something must have changed with how intune and apple handle expired certificates. My push certificate was expired by more that 50 days. I was sure I would need to re-enroll all my devices.
However I followed the procedure above, making sure to click the “renew” button in the apple portal, and to my surprise, devices started trickling back in.
After receiving of calls that iOS devices are taged as non compliant we have noticed that de MDM push certificate is expired. After renewing the certificate (just renew en not create a new one) we can enforce the check in process on the non compliant iOS devices but intune stil saing that the device in not compliant.
Devices that had automatically cheked in just for the expiration date are stil functioning and are compliant.
Should we rejoin those non compliant iOS devices or just wait or take actions? What do you think?
Great Article, Many Thanks…
Once we update the cert do I have to go to all 600 of my users and have them re-enroll?
That depends on whether you have created a new Apple Push Certificate or just renewed the old one.
What if some iOS devices are taged as non compliant just few days before the expiration date? We have renewed our expired certificate but the devices that were taged as non compliant are stil having non compliance issue while we kan enforce the check in on those device.
Thanks! Well done.
Great article, very helpful!