To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. An APNs certificate allows Workspace ONE UEM to communicate securely to Apple devices and report information back to the UEM console.

Per Apple's Enterprise Developer Program, an APNs certificate is valid for one year and then must be renewed. The UEM console sends reminders through Notifications as the expiration date nears. Your current certificate is revoked when you renew from the Apple Development Portal, which prevents device management until you upload the new one. Plan to upload your certificate immediately after it is renewed. Consider using a different certificate for each environment if you use separate production and test environments.

This diagram shows a UEM console server sending a notification to Apple's APNs server, which in turn deliver notifications to devices which respond back to the UEM console server.

APNs Certificate Expiration

The Notifications button in the header bar of the console alerts you when your APNs for MDM certificates are close to expiring. This notice allows you to act.

For more information, see Admin Console Notifications.

Generate a New APNs Certificate

Before you can manage iOS devices with Workspace ONE UEM, you must first generate an APNs Certificate to enable and maintain secure communications between your iOS devices and the Workspace ONE UEM console.

You can follow the steps outlined in the Using the Getting Started Wizard or generate a new APNs certificate manually by taking the following steps.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Generate New Certificate button. You are taken to Step 1 Sign Request.
  3. Select the link 'MDM_APNsRequest.plist' and choose a location in which to save the PLIST file, which you must upload to Apple the next step.
  4. There is an instructions link that shows you how to use the Apple Push Certificates Portal to upload a certificate request. Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new tab of your browser.
  5. You need two items to continue:
    • The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to your device.
    • A corporate Apple ID that should be dedicated to MDM for your company. Select the link provided ('Click here') to proceed with the creation of the Apple ID. Doing so opens a new tab in your browser.
  6. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued Workspace ONE UEM MDM certificate (PEM file).
  7. Select Save.

Results: Your APNs certificate has been generated.

What to do next: Check the connectivity of your APNs certificate over the HTTP/2 protocol, which is a major revision of the existing hypertext transfer protocol. See the section titled Check APNs Connecivity over HTTP/2.

Renew an Existing APNs Certificate

You must occasionally renew APNs Certificates to enable and maintain secure communications between your iOS devices and Workspace ONE UEM.

You can follow the steps outlined in the Using the Getting Started Wizard or renew expired APNs certificates manually by taking the following steps.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Renew button and follow the on-screen instructions.
  3. Select the link 'MDM_APNsRequest.plist' and choose a location in which to save the PLIST file, which you must upload to Apple the next step.
  4. There is an instructions link that shows you how to use the Apple Push Certificates Portal to upload a certificate request. Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new tab of your browser.
  5. You need two items to continue:
    • The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to your device.
    • The Apple ID that you originally used to create the certificate, which is displayed in item 2 of the Step 1 Sign Request. See the section titled Generate a New APNs Certificate above.
  6. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued Workspace ONE UEM MDM certificate (PEM file).
  7. Select Save.

Results: Your existing APNs certificate has been renewed.

Check the connectivity of your APNs certificate over the HTTP/2 protocol, which is a major revision of the existing hypertext transfer protocol. See the next section titled Check APNs Connecivity over HTTP/2.

Check APNs Connecivity over HTTP/2

You can check the connectivity between Workspace ONE UEM and the Apple HTTP/2 API endpoint. This check allows you to ensure APNs functionality over an HTTP/2 connection after generating a new certificate or following a certificate renewal.

This connectivity test is only for testing APNs over HTTP/2 which is not enabled by default. Any connectivity failures from this test do not impact APNs functionality over a legacy connection.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Test Connection button. The Workspace ONE UEM console conducts an internal test to determine whether connectivity over the new HTTP/2 protocol is functional.

Results: Because this test only centers on the HTTP/2 protocol, test failures here do not affect current APNs communication. If the HTTP/2 connectivity test fails, the steps you take depend upon the cause of the failure.

  1. Expired Certificate – The certificate you are using for the test has expired. Request a renewal by following the Renew an Existing APNs Certificate instructions on this page.
  2. Invalid Certificate – The certificate you are using for the test, while not expired, is invalid for another reason. You can request a certificate renewal or wait a few minutes and test the connection again.
  3. Unknown Error – Typically occurs during a temporary loss of Internet access. Wait a few minutes and test the connection again.
  4. APNs Client Deactivated – While rare, this cause means that Apple has returned an internal error or that the APNs service is unavailable. Wait a few minutes and test the connection again.