Generating and Renewing an APNs Certificate for AirWatch

[PDF version available here]

Overview

Administrators of iOS devices must generate and upload an Apple Push Notification service (APNs) certificate in order to manage iOS devices. This guide shows iOS administrators how to quickly and easily complete this process by breaking it down into a few simple steps.

 

What is an APNs Certificate?

The Apple Push Notification service (APNs) is used to allow AirWatch to securely communicate to the smart device fleet over-the-air. AirWatch uses the APNs certificate to send notifications to devices when the Administrator requests information or during a defined monitoring schedule. No data is sent through the APNs server, only the notification.

image002.png

 

Generating an APNs Certificate for MDM

NOTE: If you are looking to renew an expiring APNs certificate, follow the process outlined in the Renewing an APNs Certificate section below.  Generating an APNs certificate should only be used for initial setups.  If a new APNs certificate is generated from scratch, all previously enrolled devices must be re-enrolled to become managed.

Generating the APNs certificate is a three-step process:

  • Download the AirWatch-signed CSR from the AirWatch Admin Console.
  • Upload the AirWatch-signed CSR to the Apple Push Certificate Portal.
  • Download the Apple-signed certificate (.pem) from the Apple Push Certificate Portal.
  • Upload the APNs Certificate into AirWatch.

The process for generating a APNs certificate requires the following:

  • Safari, Firefox, or Chrome web browser. (Internet Explorer is not supported.) Make sure to work through all of the steps in this guide using the same browser session. The APNs generation process with Apple includes time-based and browser-based credentials for security purposes. This mandates going through all the steps below on the same browser session from start to finish to avoid any security or session related errors.  If one browser does not generate the certificate, try a different browser, but make sure to re-do/complete all of the steps in one session.

 

Generating an APNs Certificate

IMPORTANT: To perform this task, ensure your AirWatch Admin Account has access to the highest AirWatch Organization Group. The best practice is to complete the process at the Customer Organization Group level. If your Admin Account does not have access to the highest Organization Group, you may not be able to access the necessary settings.

Downloading the AirWatch-Signed CSR from the AirWatch Admin Console

  1. Navigate to Groups & Settings All Settings Devices & Users Apple APNs For MDM.
    image003.png

  2. Click Override, if necessary to make changes.
    image004.png

  3. Click Generate New Certificate.
    image005.png

  4. Follow the prompts on the screen and the select the links to view the instructions and download the AirWatch Certificate request. When finished, click Go To Apple.

 

Uploading the AirWatch-Signed CSR to the Apple Push Certificate Portal

  1. Sign into the Apple Push Certificates Portal website using a valid Apple ID and password.

    If the Go To Apple button fails to direct you to the portal, open a new tab and navigate to:  https://identity.apple.com/pushcert/
    Note: An Apple Developer Account is not required for sign in. While any valid Apple ID will work, we recommend you create a separate Apple ID linked to your corporate email account for long-term management.
    image006.png
  2. Sign in using a valid Apple ID and password.
    image007.png

  3. Click Create a Certificate.
  4. Select the I have read and agree to these terms and conditions checkbox.
  5. Click Accept.
  6. Click Choose File and navigate to the AirWatch-signed CSR downloaded from the AirWatch Console. Look for the certificate named: MDM_APNsRequest.plist.
    image008.png
  7. Click Upload. A new certificate for AirWatch MDM displays.
    image009.png
  8. Click Download and save the Apple-signed certificate to an accessible location.

    Note: The document must be in .pem file format.

Uploading the APNs Certificate to AirWatch

  1. Return to the AirWatch Admin Console and click Next.
  2. Upload the Apple-signed certificate to AirWatch that was recently downloaded (.pem file). Enter the Apple ID used to sign into the Apple Push Certificates Portal website previously.
    image010.png
  3. Click Next.
  4. When prompted, enter the security PIN. Now the new APNs certificate has been saved in AirWatch.
    Note: When generating and renewing at a top-level Organization Group, set child groups to inherit or override settings and click Save.

 

Renewing an APNs Certificate

One year after you generated your APNs certificate for MDM, you must renew the certificate in order to continue managing iOS devices.

IMPORTANT: To perform this task, ensure your AirWatch Admin Account has access to the highest AirWatch Organization Group. Also, you must perform this task at the Organization Group level where the certificate was originally loaded. If your Admin Account does not have access to the highest Organization Group you may not be able to access the necessary settings.

Renewing Your APNs Certificate from the Apple Push Certificate Portal

IMPORTANT: You must renew the certificate with the same Apple ID credentials used to get the original certificate. It is also important to renew the same certificate originally uploaded in the console.

 If you use different credentials or renew an different certificate, you are not renewing the certificate but generating a new certificate. When you apply this new certificate to the AirWatch Admin Console, the communication breaks between the AirWatch Admin Console and the iOS devices associated with the original certificate. If this happens, you must then re-enroll every iOS device associated with the original certificate. Using the same Apple ID credentials and certificate for renewal saves the effort of having to re-enroll all your iOS devices.

  1. Navigate to Groups & Settings All Settings Devices & Users Apple APNs For MDM.
  2. Click Renew.
  3. Follow the prompts on the screen to view the instructions and then click to download the AirWatch Certificate request.
  4. Click Go To Apple.
  5. Sign in using the same Apple ID used to sign into the Apple Push Certificates Portal website previously.
    image011.png
  6. Find the certificate with the UID that matches the UID in the certificate that is being renewed.
    image012.png
    image013.png
  7. Click Renew to update the certificate due to expire.
    image014.png
  8. Click Choose File.
  9. Navigate to the .plist file and click Open.
    image015_2.png
  10. Click Upload.
    image016.png
  11. Click Download to retrieve the new certificate. Although this is a renewed certificate, it displays as if it is a new certificate in the Apple Certificate Portal and you should now work with this version.

Entering the Certificate into the AirWatch Admin Console

  1. Return to the AirWatch Admin Console and click Next.
  2. Upload the Apple-signed certificate (.pem file) to AirWatch. Enter the same Apple ID used to sign into the Apple Push Certificates Portal website previously.
  3. Click Next.
  4. When prompted, enter the security PIN. Now the new APNs certificate has been saved in AirWatch.
    Note: When generating and renewing at a top-level Organization Group, set child groups to inherit or override settings and click Save.

 

Common Issues when renewing APNs certificates

Additional Reading

Have more questions? Submit a request

0 Comments

Article is closed for comments.