MDM 101: Apple Push Notification Certificate
The first step in setting up any MDM with iOS devices is (you guessed it), the APNC — Apple Push Notification Certificate (what a mouthful). The APNC is a key building block that enables MDM enrollment of iOS devices. It is a requirement for both Supervised and Non-Supervised enrollment. For those unfamiliar, it is created by signing into Apple’s Push Certificate Portal with an Apple ID and uploading a file pulled from the MDM. That certificate is then downloaded and uploaded back into the MDM.
Seems simple enough right, what could go wrong?
Apple has hidden an atom bomb in the process. The APNC must be renewed annually with the same Apple ID. If the original Apple ID is no longer available and a new one is used instead, then the connection between all currently enrolled devices and the MDM will be broken. All devices will need to be factory reset and re-enrolled to be managed again.
Unsuspecting admins might choose to use a personal or direct company email Apple ID for the APNC, which seems fine in theory, but could lead to serious complications down the road. If that admin leaves and the new admin did not preserve access to their credential (switching over the MFA), then the new admin will have a serious project on their hands right out of the gate.
We typically see folks utilize a shared admin credential — something like firstname.lastname@example.org. The thing is, if your APNC is made with a user’s individual Apple ID, then you need to make sure that credentials and corresponding MFA always remain within the organization. That said, we did find one work around for MFA with Apple IDs. You can add more than one phone number for MFA, but it can only be added from an iPhone or iPad. As of iOS14, the process is as follows:
1. Settings > Sign into the Apple ID if you are not already signed in >
2. Password & Security > Edit >
3. Add a Trusted Phone Number >
4. Type phone number > Send >
5. Complete MFA prompt.
Oddly enough, this cannot be completed on iCloud.com. It must be done directly on an iPhone/iPad. Once the phone number is added, we recommend removing the Apple ID from the device so MFA prompts go to the added phone number via SMS and not to the phone that has the Apple ID signed in via a push notification. This workaround is relevant for both folks who have a shared mdmadmin credential, and those who are preserving access to a previous employee’s Apple ID.
If you are in this unfortunate scenario — stuck with a previous employee’s Apple ID, there is hope! As long as you catch it before the APNC expires, Apple can change the email associated with the Apple ID that is tied to it. You will need to call in to submit a ticket; They will require the serial number for the APNC, and will go through a verification process. We definitely recommend taking care of this proactively if your APNC is set up with someone’s direct email, you do not want to get stuck with a huge project if they leave and it then expires.
Make sure you are not caught by this easy mistake, make a shared admin credential before you set up your APNC. If you would like to find out more about MDM before you set up yours, contact us for more details.