Description
Only one APNs certificate can be uploaded in an MDM server at a time. Communication issues will arise if a different APNs certificate is uploaded to Jamf Now instead of renewing the initial certificate; devices enrolled with the initial APNs certificate will not be able to communicate with Jamf Now.
If there is a mixture of devices enrolled on different certificates, only one of those certificates can be used moving forward and devices using the other certificates will need to be re-enrolled. The steps below will help guide the re-enrollment process.
A. Locate and verify the previous APNs certificate
Log into the APNs portal using any Apple Account that could have been used to upload the APNs certificate into Jamf Now. You may need to log into multiple different Apple IDs in situations where you don't recall which Apple Account was used to create the original APNs certificate used.
Once logged in, take note of what APNs certificates exist for that Apple Account. APNs certificates do not allow for full deletion, so if you do not see any existing APNs certificates post login, that indicates the Apple Account was not used to create the APNs certificate.
To validate whether the APNs certificate was uploaded at the time of device enrollment, compare the Topic value on the Enrollment/MDM profile vs the APSP value displayed in the APNs portal:
To check devices, see Finding APNs Topics on Jamf Now Enrollment Profiles.
The APSP value of the APNs certificate can be located by clicking the "i" button next to the APNs certificate.
If the Topic value on the device matches the APSP value in the APNs portal, that confirms the APNs certificate was uploaded into Jamf Now and used when the device enrolled into Jamf Now.
B. Identify devices using new/old certificates
1. From the Jamf Now dashboard (or Devices tab) click the ... button in the upper-right corner.
2. Select Export device data.
3. Choose Device Type All and click Download CSV File.
4. Open the CSV and sort the data by the Enrolled on column to differentiate devices enrolled with the two different APNs certificates.
C. Take action
If we only have access to the current APNs certificate or cannot locate the original APNs cert used:
The only option is to keep using the current APNs cert moving forward.
All devices using the original APNs certificate in the CSV file must be re-enrolled.
Re-enrollment methods depend on initial enrollment methods (can be viewed in CSV):
Auto-Enrollment: requires devices to be erased in order to remove the previous MDM profile. Devices will re-enroll going through the setup assistant if they show under Auto-Enrollment > View Devices. Ensure the device record is also removed via the Remove from my Devices button found under the device record prior to re-enrollment.
Open Enrollment: remove the MDM profile manually from the device, delete the device record via Remove from my Devices button found under the device record, then re-enroll using Open Enrollment again.
If we have access to both APNs certs:
Decide which APNs certificate you want to use moving forward. Typically this will be the APNs cert that has the most devices associated with it.
Note: devices that haven't communicated in 6–12 months may not be able to regain device communication even if the original APNs cert is renewed and uploaded.
Once it has been decided which APNs certificate will be used moving forward, devices using the other certificate need to be re-enrolled. Re-enrollment methods depend on initial enrollment methods (can be viewed in CSV) and OS type:
Open Enrollment: remove the MDM profile manually from the device then re-enroll using Open Enrollment again.
Auto-Enrollment:
iOS/iPadOS: requires devices to be erased in order to remove the previous MDM profile and re-enroll via Auto-Enrollment. Devices will re-enroll going through the setup assistant if they show under Auto-Enrollment > View Devices.
macOS: if the device can communicate with Jamf Now, send the Unenroll device command and then re-enroll following the steps in the Jamf Now documentation. If the device cannot communicate with Jamf Now, follow Re-establish MDM communication with a non-communicating auto-enrolled Mac in Jamf Now.
Pro tip – It is possible to work with Jamf Support to flip back and forth with the uploaded APNs cert to temporarily regain MDM communication with the different device groups. For example, you can:
Temporarily upload an alternative APNs cert in Jamf Now and see if devices check-in.
For devices that do check-in and were auto-enrolled: Send unenroll commands to Macs or send erase device commands to iOS devices.
Upload the APNs certificate you want to use moving forward.
Re-enroll devices.
D. Verify all devices are checking in
The process is complete once all devices are enrolled using the same APNs certificate (whether it's the original APNs cert or the newly created APNs cert). We should now see all devices communicating with Jamf Now if they are powered on and have a network connection (and for macOS the user with the Enrollment/MDM profile is logged in).