APNs Certificate Management
The Apple Push Notification service (APNs) certificate is the foundation of MDM communication. It allows GuardMDM to send commands, install profiles, and push updates to enrolled devices.
Certificate Lifecycle
| Stage | Description | Duration |
|---|---|---|
| Creation | Generated from Apple Developer account | ~10 minutes |
| Active | Used for all push notifications | 1 year |
| Renewal | Renewed before expiry | ~5 minutes |
| Expiry | Certificate expires, push stops | Immediate |
Viewing Certificate Status
- Go to Settings > APNs Certificate
- The status page shows:
- Status: Valid, Expiring Soon, or Expired
- Issued: Date the certificate was created
- Expires: Expiration date
- Subject: Organization name on the certificate
- Fingerprint: SHA-1 hash for verification
Status Indicators
- Valid (green) — Certificate is active and working
- Expiring Soon (yellow) — Less than 30 days remaining
- Expired (red) — Certificate has expired, push is broken
Renewing a Certificate
Start renewal at least 30 days before expiry to avoid service disruption.
- Go to Settings > APNs Certificate
- Click Renew
- Download the Certificate Signing Request (CSR)
- Go to Apple Push Certificates Portal
- Sign in with your organization Apple ID
- Select the existing certificate and click Renew
- Upload the CSR
- Download the renewed certificate
- Return to GuardMDM and upload the renewed certificate
- Verify the status shows Valid
Renewal does not change the certificate's Subject or Topic — it only extends the expiry date. Devices do not need to be re-enrolled.
Replacing a Certificate
Replace a certificate when changing Apple IDs, organizations, or after a security incident.
- Go to Settings > APNs Certificate
- Click Replace
- Download the CSR
- Go to Apple Push Certificates Portal
- Create a new certificate with the CSR
- Download the new certificate
- Upload it to GuardMDM
- Confirm the new certificate is active
Replacing a certificate creates a new Topic. Devices enrolled under the old certificate will stop receiving push notifications. You may need to re-enroll affected devices.
Multiple APNs Certificates
GuardMDM supports multiple APNs certificates for:
- Multi-tenant setups — Each organization uses its own certificate
- Staging vs. Production — Separate certificates for test and live environments
- Mergers & Acquisitions — Keep legacy certificates active during transition
Managing Multiple Certificates
- Go to Settings > APNs Certificate
- All uploaded certificates are listed with their status
- The Active certificate is used for push notifications
- Switch the active certificate at any time
- Expired or replaced certificates can be removed
Certificate Expiry Monitoring
Dashboard Alerts
- A banner appears on the dashboard when a certificate is within 30 days of expiry
- The APNs Certificate page shows a countdown for each certificate
- Expired certificates trigger a critical alert
Email Notifications
Configure notification recipients:
- Go to Settings > Notifications
- Under Certificate Alerts, add email addresses
- Choose alert thresholds:
- 30 days before expiry (warning)
- 14 days before expiry (reminder)
- 7 days before expiry (urgent)
- On expiry (critical)
Webhook Alerts
For integration with monitoring systems:
- Go to Settings > Webhooks
- Add a webhook URL
- Select Certificate Expiry event
- GuardMDM sends a POST request with certificate details
What Happens When a Certificate Expires
- Devices already enrolled remain enrolled
- New push commands are not delivered
- Device check-in still works (device-initiated communication)
- Policy updates, remote wipe, and lock commands stop working
- Users see "Not managed" or lose access to managed apps
Fix: Renew the certificate and upload it. Push functionality resumes immediately.
APNs Certificate Expiry = Complete MDM Shutdown
The APNs certificate is GuardMDM's "lifeline." Once expired, the entire MDM system shuts down:
| Feature | Before Expiry | After Expiry |
|---|---|---|
| Remote Lock/Wipe | ✅ Working | ❌ Completely broken |
| Profile Push | ✅ Working | ❌ Cannot push |
| App Installation | ✅ Working | ❌ Cannot install |
| Device Enrollment | ✅ Working | ❌ New devices cannot enroll |
| Lost Mode | ✅ Working | ❌ Cannot enable |
| Device Status | ✅ Working | ❌ Devices show as Offline |
Recovery: Renew the certificate and upload it — push functionality resumes immediately. Commands queued during the outage are not automatically replayed.
Prevention:
- Set a calendar reminder 60 days before expiry
- Configure email alerts for all admins
- Keep the Apple ID used for certificate creation accessible
- Check certificate status weekly
Best Practices
- ✅ Set calendar reminders 60 days before expiry
- ✅ Configure email alerts for all admins
- ✅ Keep the Apple ID used for certificate creation accessible
- ✅ Test renewal in a staging environment first
- ✅ Monitor certificate status weekly
- ❌ Don't wait until the last week to renew
- ❌ Don't delete the old certificate until the new one is verified
- ❌ Don't share the Apple ID across unrelated organizations
