Skip to content

Set Up APNs Push Certificate

What is APNs?

APNs (Apple Push Notification service) is Apple's infrastructure for delivering push notifications to iOS, iPadOS, and macOS devices. In the context of MDM, APNs is the communication channel that allows GuardMDM to send commands — such as lock, wipe, install apps, or push configuration profiles — to your devices.

Without APNs, GuardMDM cannot reach your devices. Devices check in with Apple's push service, and Apple routes the command from GuardMDM to the device. This means:

  • APNs is the foundation — without it, GuardMDM cannot communicate with devices at all.
  • Every MDM solution requires a valid APNs certificate to function.
  • The certificate ties your GuardMDM account to your organization's Apple services.

How GuardMDM Generates a CSR

Before you can create the APNs certificate in Apple's portal, GuardMDM generates a Certificate Signing Request (CSR) for you.

  1. Log in to your GuardMDM dashboard.
  2. Navigate to Settings > APNs Certificate.
  3. Click Generate CSR. GuardMDM creates a .csr file and downloads it to your machine.

This CSR contains your organization's public key and identifying information. Apple uses it to issue a certificate that is uniquely bound to your GuardMDM account.

Note: The private key never leaves GuardMDM — it is generated and stored securely on the server. You only upload the public-facing CSR to Apple.

Create the Certificate in Apple Push Certificates Portal

  1. Go to the Apple Push Certificates Portal.
  2. Sign in with your organization's Apple ID (typically your Apple Developer account).
  3. Click Create a Certificate.
  4. In the Upload CSR section, click Choose File and select the .csr file you downloaded from GuardMDM.
  5. Click Continue. Apple processes the request and generates your MDM push certificate.
  6. Click Download to save the certificate (.pem file) to your machine.

Upload the Certificate to GuardMDM

  1. Return to GuardMDM Settings > APNs Certificate.
  2. Click Upload Certificate.
  3. Select the .pem file you downloaded from Apple.
  4. Click Save.

GuardMDM validates the certificate and activates it. Once active, the dashboard shows a green status indicator.

Verify the Certificate is Active

After uploading, confirm the certificate is working:

  1. In GuardMDM, go to Settings > APNs Certificate.
  2. The status should display Active with a green checkmark.
  3. The certificate details — including the Issuer, Expiration Date, and Topic (your Apple Team ID) — are shown for reference.

If the status shows an error, double-check that you uploaded the correct .pem file and that it was generated from the CSR GuardMDM provided.

Certificate Expiry Monitoring

APNs certificates expire one year from the date of issue. GuardMDM monitors expiry and sends notifications before the certificate expires:

  • 30 days before expiry — Email notification to account administrators.
  • 14 days before expiry — Dashboard banner warning.
  • 7 days before expiry — Repeated email reminders until the certificate is renewed.

To renew, repeat the same process: generate a new CSR in GuardMDM, create a new certificate in the Apple Push Certificates Portal, and upload it. The renewal does not affect enrolled devices — the transition is seamless.

Important: If the certificate expires, GuardMDM loses all communication with your devices. Commands queued during the expiry period will fail. Set a calendar reminder for 11 months after issuance to renew well before the deadline.

APNs Certificate Expiry = MDM Outage

The APNs certificate is GuardMDM's only communication channel to your devices. Once it expires:

  • All remote commands stop working — cannot lock, wipe, restart devices, or install profiles/apps
  • Devices show as Offline — the dashboard loses all device status updates
  • New devices cannot enroll — both OTA and ADE enrollment fail
  • Security policies cannot be pushed — passcode, restrictions, network config all stop
  • Lost Mode cannot be enabled — cannot locate or lock lost devices

Recovery: Push functionality resumes immediately after renewal. However, commands queued during the expiry period are not automatically retried — you must resend them manually.

Recommendation: Set a calendar reminder 60 days before expiry, and ensure the Apple ID used to create the certificate remains accessible.

Released under the MIT License