Description
Your Apple Push Notification service (APNs) certificate, also known as the Push Certificate, has to be renewed yearly for managed devices to communicate with Jamf Pro.
This article provides steps to renew the certificate along with specific callouts and troubleshooting steps to make sure devices stay communicating with Jamf Pro.
Creating a new certificate will lead to existing enrolled devices losing communication with Jamf Pro! We need to follow the steps below to locate the original certificate if possible.
Saving the Topic Bundle Identifier of the Certificate
In Jamf Pro, go to Settings > Global > Push Certificates and click on MDM Push Notification Certificate.
Take a note or screenshot of the topic bundle identifier shown in Jamf Pro.
Getting a Signed CSR for the Push Portal
In Jamf Pro, under Settings > Global > Push Certificates > MDM Push Notification Certificate, click Renew in the bottom-right corner of the page.
On the 'Choose an Option' screen, choose Download signed CSR from Jamf and click Next. A "JAMFSignedCSR.plist" file will automatically download, click Next.
If this option is greyed out or the file does not download, click the arrow on the left to expand directions to sign the CSR in Jamf Account.
If this option is greyed out or the file does not download, click the arrow on the left to expand directions to sign the CSR in Jamf Account.
Select the option to Download CSR and sign later using Jamf Account and click Next in the bottom-right corner.
Save the CSR to a location on your computer you will find it easily.
Click Next in Jamf Pro.
You will now see a page with instructions for signing the CSR in Jamf Account. Those steps are also listed below.
Open another tab or window and go to https://account.jamf.com/products/jamf-pro/csr-signer.
Do not exit Jamf Pro or click into a different page in Jamf Pro.
Upload the unsigned CSR.
Click Sign CSR. A signed CSR will download that you can now use in the Apple Push Portal to renew your certificate.
Uploading the Signed CSR in the Apple Push Certificate Portal
Once we have a signed CSR, either from Jamf Pro or from Jamf Account, we can upload it to the Push Portal to get our renewed certificate for Jamf Pro.
Click on the Apple Push Certificate Portal link in Jamf Pro and a new tab should open, or navigate to https://identity.apple.com/pushcert in a new tab.
Leave the Jamf Pro tab open. If you leave the renewal workflow, you will have to start over and download another new CSR.
Login with the same Apple Account that was used to create the MDM Push Certificate.
We need to confirm that we have the correct Apple Account with the same certificate that is in Jamf Pro. If we aren't in the right account, follow the steps in Finding the Apple Account used for Push Certificate creation.
If logging in you see "Get started" (as seen in the screenshot below), it is not the correct Apple Account and we will need to try another.
If you see the certificate listed, click on the blue i icon to verify the Subject DN matches the topic bundle identifier saved above.
Once you are sure you have the correct certificate, click Renew.
Click Choose File and select the signed "JAMFSignedCSR.plist" file. Click Upload.
Click Download.
Uploading the renewed Certificate to Jamf Pro
Return to the Jamf Pro tab. If on the 'Create the Push Certificate' screen click Next.
Click Upload to complete the renewal process by uploading the new MDM Push Certificate.
Click Save.
If you see a warning about the certificate not matching - stop immediately. Do not complete the process. We need to find and renew the correct certificate!
Follow the steps in Finding the Apple Account used for Push Certificate creation.
More Resources
For a video walk-though, see How to Renew a Push Certificate in Jamf Pro.
For more information on the MDM Push Notification Certificate, see Push Certificates in the Jamf Pro Documentation.