Skip to content

Troubleshooting

Device Not Enrolling

Symptom: Device shows "Unable to enroll" or sits at "Configuring..." indefinitely.

Likely cause: DEP profile not assigned, network blocks the MDM server, or device clock is wrong.

Solution: Verify the device is assigned to the correct MDM server in ABM/ASM. Check that port 443 is reachable to the MDM endpoint. Ensure the device time is synced (NTP). Re-assign the DEP profile and factory reset the device.

APNs Certificate Issues

Symptom: Devices fail to receive push commands; "APNs connection failed" in server logs.

Likely cause: APNs certificate has expired, the private key was lost, or the certificate was revoked.

Solution: Generate a new APNs certificate via the Apple Push Certificates Portal using the MDM CSR. Upload the new certificate to the MDM server. Verify the certificate's notAfter date — renew at least 30 days before expiry.

ABM Sync Failures

Symptom: New devices purchased in ABM/ASM do not appear in the MDM console.

Likely cause: ABM token expired, the sync schedule is not running, or the MDM server was removed from ABM.

Solution: Re-authenticate the ABM/ASM connection in the MDM console. Check the ABM portal to confirm the MDM server is still listed. Trigger a manual sync. Verify the token's expiration date.

Blueprint Not Applying

Symptom: Device enrolled but does not receive the expected configuration, apps, or restrictions.

Likely cause: Blueprint not assigned to the device, assignment rules not matching, or the blueprint is in draft/inactive state.

Solution: Confirm the device is in the correct assignment group. Check that the blueprint is published (not draft). Review blueprint assignment rules for conflicts. Force a sync from the device detail page.

VPP Token Expired

Symptom: App installation or license assignment fails; "VPP token invalid" error.

Likely cause: The Volume Purchase Program (VPP/ABM Apps & Books) token has expired.

Solution: Renew the token in Apple Business Manager (Settings > Apps & Books). Upload the new token to the MDM console. Re-assign app licenses if needed. Set a calendar reminder to renew before the 180-day expiry.

Device Showing Offline

Symptom: Device status is "Offline" in the console; commands are queued but not delivered.

Likely cause: Device is powered off, not connected to a network, or the MDM profile was removed.

Solution: Ask the user to power on the device and connect to Wi-Fi/cellular. If the MDM profile was removed, re-enroll via DEP (factory reset) or re-install the enrollment profile manually. Check if the device was wiped or decommissioned.

Command Failed

Symptom: A specific MDM command (e.g., InstallApp, EraseDevice, Settings) shows "Error" or "Failed" status.

Likely cause: Device rejected the command (e.g., app not compatible, passcode required, restriction in place).

Solution: Review the command error payload in the console logs. Common fixes: ensure the device meets the app's minimum OS version, remove conflicting restrictions, or have the user enter their passcode. Re-issue the command after resolving the blocker.

Push Notification Issues

Symptom: Commands are queued for hours; device does not respond to pushes.

Likely cause: APNs certificate problem, device is in Airplane Mode, or the MDM push topic is misconfigured.

Solution: Verify the APNs certificate is valid and the push topic matches the device's enrollment topic. Check that the device can reach the APNs servers (port 5223). Ask the user to disable Airplane Mode and check connectivity. Re-send a test push from the console.

Certificate Expiry

Symptom: Enrollment fails for new devices; existing devices show "Profile verification failed."

Likely cause: The MDM push certificate, SSL certificate, or identity certificate has expired.

Solution: Check all certificate expiry dates: APNs push cert, web server SSL cert, and CA-issued identity certs. Renew each through the appropriate portal. Update the MDM server configuration with renewed certificates. Monitor expiry dates with a 30-day warning threshold.

Released under the MIT License