Description
When renewing the APNs Certificate, if an incorrect certificate was downloaded from the Apple Push Portal, Jamf School will reject the certificate with a Topic ID Mismatch error.
This guide details the steps to take in the renewal process with some checks to verify that the correct Certificate is being used, as well as some tips and tricks for locating the correct certificate.
Important Note: The APNs Certificate must always be renewed with the same Apple Account.
Part 1: Preparing to Renew the Push Certificate again
Delete any existing CSR and APNs (.pem) certificates from the computer we are renewing this certificate on to ensure we are using the newest downloaded items.
In Jamf School go to Organization > Settings > Apple Push Notification Service.
Note the "Push Topic", "Serial Number", and "Apple Account" listed for this certificate.
Apple Account that owns the APNs Certificate is not contained within the Certificate itself, so this information would have been manually entered when the Push Certificate was initially created.
If the Certificate was migrated to a different Apple Account at any point, or this information was not entered correctly, this Apple Account may not be the Apple Account that owns the Matching Certificate.
You can also check for the topic on managed devices communicating with Jamf School.
You can also check for the topic on managed devices communicating with Jamf School.
iOS: Settings > General > Device Management > Mobile Device Management (Jamf School MDM Profile) > More Details > Mobile Device Management (Enrollment) > Topic.
macOS: The path the to the MDM profile depends on the macOS version of the computer.
macOS 12 or earlier: System Preferences > Profiles > Jamf School MDM Profile > Mobile Device Management > Topic.
macOS (13.x and 14.x): System Settings > Privacy and Security > Profiles > Jamf School MDM Profile > Mobile Device Management > Topic.
macOS 15 or later: System Settings > General > Device Management > Jamf School MDM Profile > Mobile Device Management > Topic.
Part 2: Download the Certificate Signing Request
Use the steps below to download the Certificate Signing Request (CSR) to upload to the Apple Push Portal in a later step.
In Jamf School on the Apple Push Notification Service page, select Renew Push Certificate.
Click Download Certificate Signing Request.
Part 3: Renew the certificate in the Push Portal
Select the Apple Push Certificate Portal link or navigate to https://identity.apple.com/pushcert/ and log in with the Apple Account noted in step 1.
There should already be a certificate listed. If there is not a certificate listed, this Apple Account does not own the original Certificate. Try logging in to the Apple Push Certificate portal with all other known Apple Accounts.
Verify the Matching Push Topic from Part 1.
In the Apple Push Portal select the Info (i) option next to renew for the listed Certificate.
The Push Topic in Jamf School should match the UID listed here.
If this does not match what is listed in Jamf School, this is not the correct Certificate and you should try logging in to the Apple Push Certificate portal with all other known Apple Accounts or see the Tips and Tricks below.
Select Renew for the Matching Certificate.
Click Choose File, select the CSR downloaded in Part 2, and click Upload.
Click Download.
Part 4: Upload the Certificate into Jamf School
In Jamf School go to Organization > Settings > Apple Push Notification Service > Renew Push Certificate.
Drag/select the APNs Certificate downloaded in Step 4 to the text box.
Click Apply.
Updating the Apple Account listed in Apple Push Notification Service
If we do see that the Apple Account currently Listed in Jamf School does not match the Apple Account that we determined owns the existing Certificate, this can be changed from Jamf School.
In Jamf School go to Organization > Settings > Apple Push Notification Service and click Edit Apple ID.
Enter in the correct Apple Account used in the Push Portal and click Apply.
Tips and Tricks to Locate the Apple Account That Owns the Certificate
It is essential to find the original Apple Account and certificate. If a certificate is uploaded to Jamf School that does not match what is on currently enrolled devices, they would need to be re-enrolled to communicate with Jamf School.
We can use the steps below to try and locate the correct Apple Account and certificate.
Check for any emails from Apple about the Certificate expiring. These send 30 days before expiry.
Use What to filter the Audit Log (under Organization > Audit Log) entries for: Renew Apple Push Certificate, Edited Push Certificate Apple Account, and/or Upload Apple Push Certificate within setup.
Note the Apple Account that is listed on these expanded entries and the administrators who renewed to determine which Apple Account they used.
If the Matching certificate is unable to be located Apple Support may be able to transfer ownership of the Certificate to a known Apple Account. Find the correct number for your region here. You will need the Serial Number and Topic ID of the existing certificate in Jamf School.