Documenting the Apple APNs certificate on your MDM server
Christian Karasiewicz 270005XS4E Comments (3) Visits (16866)
Any mobile device management (MDM) administrator who is managing Apple iOS devices understands the need for an Apple Push Notification service (APNs) certificate on the MDM server. A valid APNs certificate is fundamental to allowing the MDM administrator to “securely enroll devices in an enterprise environment, configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock managed devices,” as the Apple iPhone in Business page explains. For readers who are not an MDM administrator but would like an intro to how MDM tools use APNs certificates, you might find this Network World article useful.
MDM tools require a valid APNs certificate
If you are an MDM administrator, are you managing your APNs certificate well? Do you have a reminder in your schedule to renew it every year? Do you have procedures readily available to help you renew it? Have you documented the important attributes of your APNs certificate?
In this blog post, I would like to suggest some good documentation practices for tracking your APNs certificate. This should help alleviate APNs certificate expiration nightmares.
Let's talk about three scenarios that an MDM administrator who has to deal with an expired APNs certificate might encounter. This should give us an appreciation for why it is so important to adopt good documentation practices for your APNs certificate.
What happens to managed iOS devices if the APNs certificate expires?
What does an expired certificate mean for your managed iOS devices? In a nutshell, your iOS devices no longer trust APNs commands sent over the air by the MDM server. Your MDM tool cannot monitor compliance settings on the iOS device, send remote wipe or remote unlock commands or send new configuration settings. Users will not notice anything amiss; the devices will continue to operate normally. However, from an MDM administrator point of view, all your iOS devices have essentially become unmanaged.
What happens to the existing fleet of iOS devices if you replace the APNs certificate?
In this scenario an MDM administrator tries to replace the existing APNs certificate on his MDM server with a brand new one, generated with an entirely new certificate signing request. While it is true that the APNs certificate is now valid, the problem is that it no longer matches the one on the managed iOS device. Again, the net result is that these devices would be unmanaged at this point. But now let's say the MDM administrator feels he has no choice but to stick with this new APNs certificate. Well, in order to use it, the MDM administrator would have to ask each individual user to manually remove the MDM profiles on his or her iOS device and re-enroll with the MDM tool. Now that's what I call a nightmare.
For multiple MDM servers, how do you know which APNs certificate goes with which server?
In some cases an MDM administrator has multiple MDM servers and may have to keep track of multiple APNs certificates. To be fair, most enterprises have only one MDM tool deployed. But let's say you do find yourself in this situation and have lost track of which APNs certificate goes with which MDM server. The MDM administrator now must invest the time to match them up. It is technically possible to examine the technical properties of an APNs certificate on your local hard drive and compare with an APNs certificate installed on an MDM server. See the “Match APNs Certificates” section of this article on the IBM Endpoint Manager for Mobile Devices wiki for one approach to tackling this issue.
APNs certificate good documentation practices
These are my recommendations for managing and documenting your APNs certificate.
Note: in September 2011, Apple revamped their APNs certificate signing process flow, and this was a boon to MDM administrators. Creating and renewing APNs certificates is free of charge after this date using the Apple Push Certificates Portal. Bonus! However, if you created your APNs certificate prior to this date, then you had to use the Apple iOS Developer Enterprise Portal (iDEP), and you had to pay a yearly fee to Apple.
Location of certificate
Apple ID owner
Note: as an MDM administrator, you may find yourself in a scenario where you can view the APNs certificate inside your MDM server, but you are unsure who the Apple ID owner is. Maybe you inherited this MDM server and its APNs certificate from someone else, or maybe you set it up a long time ago and forgot to document it (because you hadn't read this article yet!). When renewing a certificate, it is important to log in to the Apple Push Certificates Portal using the same Apple ID used to create the certificate. If you cannot remember the Apple ID that is tied to your APNs certificate, you can open a ticket with Apple Developer Program Support (by phone or web). Apple will ask for the certificate's serial number. Your MDM tool may display this as a 20-digit decimal number; if it does, you must convert it to hexadecimal when reporting it to Apple.
Corporate mailbox for this Apple ID
Certificate expiry date
Certificate renewal procedure
An MDM administrator who has his Apple APNs certificate(s) well documented, and keeps up with the expiry dates, can enjoy smooth sailing when managing his fleet of Apple iOS devices. Did I miss one of your favorite APNs certificate management best practices? Please add a comment below.