To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. Workspace ONE UEM communicates with Apple devices securely and reports information back to the UEM console using APNs certificates.

Per the Apple Enterprise Developer Program, an APNs certificate is valid for one year and then requires renewal. The UEM console sends reminders through Notifications as the expiration date nears. Your current certificate revokes when you renew from the Apple Development Portal, which prevents device management until you upload the new one. Upload your certificate immediately after you renew it. It is a best practice to use one certificate for your production environment and a separate certificate for your test environment.

This diagram shows a UEM console server sending a notification to Apple's APNs server, which in turn deliver notifications to devices which respond back to the UEM console server.

APNs Certificate Expiration

The Notifications button in the header bar of the console alerts you when your APNs for MDM certificates are close to expiring, allowing you to act.

For more information, see Admin Console Notifications.

Generate a New APNs Certificate

Before you can manage iOS devices with Workspace ONE UEM, you must first generate an APNs Certificate to enable and maintain secure communications between your iOS devices and the Workspace ONE UEM console.

You can follow the steps outlined in the Using the Getting Started Wizard or generate a new APNs certificate manually by taking the following steps.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Generate New Certificate button. Step 1 Sign Request displays.
  3. Select the link 'MDM_APNsRequest.plist' and select a save location. You upload this file to Apple in the following step.
  4. You can learn how to upload a certificate from the Apple Push Certificates Portal by selecting the instructions link. Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new tab of your browser.
  5. You need two items to continue:
    • The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to your device.
    • A corporate Apple ID that is dedicated to MDM for your company. Select the link provided ('Click here') to proceed with the creation of the Apple ID. Afterward, a new tab opens in your browser.
  6. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued Workspace ONE UEM MDM certificate (PEM file).
  7. Select Save.

Results: Your APNs certificate generates.

What to do next: Check the connectivity of your APNs certificate over the HTTP/2 protocol. See the section titled Review APNs Connecivity over HTTP/2.

Renew an Existing APNs Certificate

To enable and maintain secure communications between your iOS devices and Workspace ONE UEM, you must occasionally renew APNs Certificates.

You can follow the steps outlined in the Using the Getting Started Wizard or renew expired APNs certificates manually by taking the following steps.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Renew button and follow the instructions.
  3. Select the link 'MDM_APNsRequest.plist' and select a save location. You must upload this file to Apple in the next step.
  4. You can learn how to upload a certificate from the Apple Push Certificates Portal by selecting the instructions link. Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new tab of your browser.
  5. You need two items to continue:
    • The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to your device.
    • The Apple ID that you originally used to create the certificate, which is displayed in item 2 of the Step 1 Sign Request. See the section titled Generate a New APNs Certificate.
  6. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued Workspace ONE UEM MDM certificate (PEM file).
  7. Select Save.

Results: Your existing APNs certificate renews.

Select the connectivity of your APNs certificate over the HTTP/2 protocol. See the next section titled Review APNs Connecivity over HTTP/2.

Review APNs Connectivity over HTTP/2

You can review the connectivity between Workspace ONE UEM and the Apple HTTP/2 API endpoint, api.push.apple.com:443. This review allows you to ensure APNs functionality over an HTTP/2 connection after generating a new certificate or following a certificate renewal.

This connectivity test is only for testing APNs over the default HTTP/2 connection. Any connectivity failures from this test do not impact APNs functionality over a legacy connection.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
  2. Select the Test Connection button. The Workspace ONE UEM console conducts an internal test to determine whether connectivity over the new HTTP/2 protocol is functional.

Results: Because this test only centers on the HTTP/2 protocol, test failures here do not affect current APNs communication. If the HTTP/2 connectivity test fails, the steps you take depend upon the cause of the failure.

  1. Expired Certificate – The certificate you are using for the test has expired. Request a renewal by following the Renew an Existing APNs Certificate instructions on this page.
  2. Invalid Certificate – The certificate you are using for the test, while not expired, is invalid for another reason. You can request a certificate renewal or wait a few minutes and test the connection again.
  3. Unknown Error – Typically occurs during a temporary loss of Internet access. Wait a few minutes and test the connection again.
  4. APNs Client Deactivated – While rare, this cause means that Apple has returned an internal error or that the APNs service is unavailable. Wait a few minutes and test the connection again.