Skip to content

APNs Certificate Management

The Apple Push Notification service (APNs) certificate is the foundation of MDM communication. It allows GuardMDM to send commands, install profiles, and push updates to enrolled devices.

Certificate Lifecycle

StageDescriptionDuration
CreationGenerated from Apple Developer account~10 minutes
ActiveUsed for all push notifications1 year
RenewalRenewed before expiry~5 minutes
ExpiryCertificate expires, push stopsImmediate

Viewing Certificate Status

  1. Go to Settings > APNs Certificate
  2. The status page shows:
    • Status: Valid, Expiring Soon, or Expired
    • Issued: Date the certificate was created
    • Expires: Expiration date
    • Subject: Organization name on the certificate
    • Fingerprint: SHA-1 hash for verification

Status Indicators

  • Valid (green) — Certificate is active and working
  • Expiring Soon (yellow) — Less than 30 days remaining
  • Expired (red) — Certificate has expired, push is broken

Renewing a Certificate

Start renewal at least 30 days before expiry to avoid service disruption.

  1. Go to Settings > APNs Certificate
  2. Click Renew
  3. Download the Certificate Signing Request (CSR)
  4. Go to Apple Push Certificates Portal
  5. Sign in with your organization Apple ID
  6. Select the existing certificate and click Renew
  7. Upload the CSR
  8. Download the renewed certificate
  9. Return to GuardMDM and upload the renewed certificate
  10. Verify the status shows Valid

Renewal does not change the certificate's Subject or Topic — it only extends the expiry date. Devices do not need to be re-enrolled.

Replacing a Certificate

Replace a certificate when changing Apple IDs, organizations, or after a security incident.

  1. Go to Settings > APNs Certificate
  2. Click Replace
  3. Download the CSR
  4. Go to Apple Push Certificates Portal
  5. Create a new certificate with the CSR
  6. Download the new certificate
  7. Upload it to GuardMDM
  8. Confirm the new certificate is active

Replacing a certificate creates a new Topic. Devices enrolled under the old certificate will stop receiving push notifications. You may need to re-enroll affected devices.

Multiple APNs Certificates

GuardMDM supports multiple APNs certificates for:

  • Multi-tenant setups — Each organization uses its own certificate
  • Staging vs. Production — Separate certificates for test and live environments
  • Mergers & Acquisitions — Keep legacy certificates active during transition

Managing Multiple Certificates

  1. Go to Settings > APNs Certificate
  2. All uploaded certificates are listed with their status
  3. The Active certificate is used for push notifications
  4. Switch the active certificate at any time
  5. Expired or replaced certificates can be removed

Certificate Expiry Monitoring

Dashboard Alerts

  • A banner appears on the dashboard when a certificate is within 30 days of expiry
  • The APNs Certificate page shows a countdown for each certificate
  • Expired certificates trigger a critical alert

Email Notifications

Configure notification recipients:

  1. Go to Settings > Notifications
  2. Under Certificate Alerts, add email addresses
  3. Choose alert thresholds:
    • 30 days before expiry (warning)
    • 14 days before expiry (reminder)
    • 7 days before expiry (urgent)
    • On expiry (critical)

Webhook Alerts

For integration with monitoring systems:

  1. Go to Settings > Webhooks
  2. Add a webhook URL
  3. Select Certificate Expiry event
  4. GuardMDM sends a POST request with certificate details

What Happens When a Certificate Expires

  • Devices already enrolled remain enrolled
  • New push commands are not delivered
  • Device check-in still works (device-initiated communication)
  • Policy updates, remote wipe, and lock commands stop working
  • Users see "Not managed" or lose access to managed apps

Fix: Renew the certificate and upload it. Push functionality resumes immediately.

APNs Certificate Expiry = Complete MDM Shutdown

The APNs certificate is GuardMDM's "lifeline." Once expired, the entire MDM system shuts down:

FeatureBefore ExpiryAfter Expiry
Remote Lock/Wipe✅ Working❌ Completely broken
Profile Push✅ Working❌ Cannot push
App Installation✅ Working❌ Cannot install
Device Enrollment✅ Working❌ New devices cannot enroll
Lost Mode✅ Working❌ Cannot enable
Device Status✅ Working❌ Devices show as Offline

Recovery: Renew the certificate and upload it — push functionality resumes immediately. Commands queued during the outage are not automatically replayed.

Prevention:

  • Set a calendar reminder 60 days before expiry
  • Configure email alerts for all admins
  • Keep the Apple ID used for certificate creation accessible
  • Check certificate status weekly

Best Practices

  • ✅ Set calendar reminders 60 days before expiry
  • ✅ Configure email alerts for all admins
  • ✅ Keep the Apple ID used for certificate creation accessible
  • ✅ Test renewal in a staging environment first
  • ✅ Monitor certificate status weekly
  • ❌ Don't wait until the last week to renew
  • ❌ Don't delete the old certificate until the new one is verified
  • ❌ Don't share the Apple ID across unrelated organizations

Next: Device Enrollment Methods

Released under the MIT License