Apple Push Notification service (APNs) is the MDM protocol created by Apple to manage their devices. It requires the MDM provider to have a valid APNs certificate configured and routes all commands through Apple's central cloud messaging servers.

Initiating an APNs command leads to the following:
  • When an iOS device is enrolled, an APNs token is generated that is connected to a specific device. The generated token is known to both Workspace ONE UEM console and the APNs servers.
  • Once enrolled, a device always (connectivity permitting) exhibits an active connection to Apple's APNs servers.
  • When a command is initiated in the UEM console (such as a profile push or a device lock command), the following steps occur:
    • An entry is stored in the Device Command Queue in the UEM database. The entry contains a specific ID attached to the type of command initiated.
    • The UEM server (either console or device services depending on where the command initiated), reaches out to the APNs servers with the APNs token tied to that specific device.
  • The APNs server validates the token and informs the device to connect to the MDM server to receive a command.
  • The device connects to the device services server. Upon establishing this connection, the device receives all pending commands from the Device Command Queue.

Apple Push Notification Service (APNs) Certificate

To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. An APNs certificate allows the UEM console to communicate securely to Apple devices and report information back to the UEM console.

Per Apple's Enterprise Developer Program, an APNs certificate is valid for one year and then must be renewed. The UEM console sends reminders through Notifications as the expiration date nears. Your current certificate is revoked when you renew from the Apple Development Portal, which prevents device management until you upload the new one. Plan to upload your certificate immediately after it is renewed. Consider using a different certificate for each environment if you use separate production and test environments.