You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: chazman113
chazman113 Author
User level: Level 1
8 points

Profile Manager and MDM Certificate Expiration

I just renewed my APN certificate for a profile manager server I run to manage iPads in a K-12 environment. I went back to an iPad and it doesn't explicitly show any APN certificate in the general settings > remote management, I assume that is normal. What it does show are the following certificates:


Trust Profile (Expires March 19, 2021)

Remote Management > MDM Identity Certificate (Expires October 25, 2017)

Remote Management > Open Directory Certificate Authority (Expires March 19, 2021)


Does anyone know what happens when these certificates expire?

If it's an automatic process to renew, how does it work? What happens if an ipad doesn't update in between the time new ones are issues and old ones expire?

null-OTHER, iOS 10.1.1, Apple Server

Posted on Jan 11, 2017 7:13 AM

Reply
Question marked as Top-ranking reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,691 points

Posted on Jan 13, 2017 6:33 AM

I mean any of the certificates on your Profile Manager server so this means any of the following which are due to expire.


  1. APNS certificate
  2. Server SSL certificate
  3. Server Code-signing certificate


As long as these are all valid the client device should keep in communication with the Profile Manager server and auto-renew its own identity certificate.

View in context
6 replies
Question marked as Top-ranking reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,691 points

Jan 13, 2017 6:33 AM in response to chazman113

I mean any of the certificates on your Profile Manager server so this means any of the following which are due to expire.


  1. APNS certificate
  2. Server SSL certificate
  3. Server Code-signing certificate


As long as these are all valid the client device should keep in communication with the Profile Manager server and auto-renew its own identity certificate.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,691 points

Jan 12, 2017 3:40 AM in response to chazman113

The APNS certificate is to allow your server to authenticate itself with Apple's servers, it therefore has no direct relevance to your iPads and this is why your iPads do not show it. You only get APNS traffic from Apple's servers not from your own server and your server only talks to Apple's APNS servers, i.e. Apple act as the intermediary.


The Device Identity certificate is generated by your Profile Manager when you enrol your iPad and thereafter is used to prove to your Profile Manager it is the genuine authorised device. Your Profile Manager server will have its own computer certificate which needs to be renewed before it expires.


Your Profile Manager server sends notifications via APNS to the Apple APNS servers and then the Apple APNS servers forward these to your devices. If your Profile Manager APNS certificate expires before you renew it then your devices can no get such notifications and not only will they no longer be able to get updates to profiles from your Profile Manager server but they will also not be able to renew their Device Identity certificates. If this happens you will have to re-enrol all your devices.


So you need to make sure you update both the APNS any any other certificates on your Profile Manager server before they expire i.e. the computer server certificate and the code-signing certificate both of which are only on your server.

Reply
User profile for user: chazman113
chazman113 Author
User level: Level 1
8 points

Jan 12, 2017 6:23 AM in response to John Lockwood

That sounds about on par with my understanding, thanks. I believe from your explanation you are implying that the Profile Manager / Ipad will automatically renew their device identity certificate on the device via some mechanism as long as APNS is working? What would happen if an ipad was shut off and didn't renew after it's expiration period?

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,691 points

Jan 12, 2017 6:32 AM in response to chazman113

chazman113 wrote:


That sounds about on par with my understanding, thanks. I believe from your explanation you are implying that the Profile Manager / Ipad will automatically renew their device identity certificate on the device via some mechanism as long as APNS is working? What would happen if an ipad was shut off and didn't renew after it's expiration period?

That's a concern I also have and don't know definitely what would happen.


I therefore normally renew at least 2-weeks in advance to give all devices time to check-in. This does mean that over several years the expiry date keeps moving earlier in time.

Reply

Profile Manager and MDM Certificate Expiration

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up