IBM Support

Apple MDM Profile Renewal Troubleshooting

How To


Summary

This article is for troubleshooting issues experienced while renewing the Apple MDM Certificate (or Apple Push Notification Certificate APNS Certificate). This will cover common issues as well as how to resolve those issues.

Objective

To get started with renewing your Apple MDM Certificate, you will log in to your MaaS360 Administrator Portal and go to the Setup tab > Services > Click Mobile Device Management > Click the arrow icon next to Apple MDM Certificate.

Once this section is expanded, you will see an Apple MDM Certificate topic (this information is critical!) and the Apple iTunes ID. This iTunes ID needs to be the one you log in with when redirected to the Apple website during the renewal process. If you are renewing, click the Renew Now button on the right to start the process. See screen capture of page:

image 9952

When you click "Renew," you will be brought to a 3 step process:

Step 1: Re-enter your Apple iTunes ID (remember this must be the one listed already on your MaaS360 Portal on the main services page under Mobile Device Management. You will get errors if it is different or if your browser automatically signs you into a different iTunes ID. Always verify these IDs match when you get to the Apple website.) Once you enter your Apple iTunes ID, you will have a Generate certificate button. This button is NOT for creating your Apple MDM Certificate. This button generates a CSR.txt file needed to renew your certificate through the Apple website you'll see in Step 2. One common misstep with this process is taking the CSR.txt file created in Step 1 and going straight to Step 3 to upload it. This will give you an error message because the CSR.txt file is NOT the MDM Certificate you need to Browse for in Step 3. Once you click Generate certificate, you will get a button to Download the CSR.txt file. Save it somewhere easy to find. See screen captures:

image 9953

image 9931

Step 2: Apple Push Certificate - This step has a link to Apple's website for the Push Notifications Portal or APNS. You will need to log in to this portal with the iTunes ID listed in your MaaS360 portal on the Services page. This iTunes ID must match, or you will receive errors. Click The Go to Apple's Push Certificate Portal button and log in.

image 9932

Once you log in to the Apple Push Certificates Portal, you will see your certificate and a Renew button on the right of your certificate. Do NOT click the green Create a Certificate button in the upper right if you are trying to renew your certificate. If you have more than one certificate in your Apple Push Certificates Portal, you can click the small I bubble next to the Renew button to view the Subject DN. This Subject DN should match the Apple MDM Topic in your MaaS360 portal on the services page. If they do not match, you will get an error. Use the I bubble to find the matching Subject DN and Renew just that certificate.

image 9946

Screen capture of the Subject DN example:

image 9916

After finding the correct certificate and click Renew

image 9944

You will be asked to browse for a file. That file is the CSR.txt file that was downloaded from the MaaS360 portal. This file is unique to each renewal instance, so make sure you're either deleting the CSR.txt each time or tracking which CSR.txt file you're using and always use the most recent one.

image 9948

After Choose File - CSR.txt above, click Upload, and you should get the following screen:

image 9939

Click Download on the above page, and you should get a file that starts with MDM_Fiberlink and is in .pem file format. This is the only file format the last step (Step 3) in MaaS360 will accept.

Step 3: Upload Certificate - Once you have the .pem file from the Apple website, come back to the MaaS360 portal and click continue to proceed to step 3. In this step, you need to Browse for the MDM_ Fiberlink Communications_Certificate.pem file and create/confirm a password. This password cannot contain <, > or $ special characters. Once you have entered the password and confirmed it, the Continue button at the bottom will be enabled. 

image 9940

After completing step 3, you should see "Apple enrollment successfully enabled!" and a Continue button. You have now renewed your Apple MDM Certificate, which will stay valid for a full calendar year. 

image 9943

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"Component":"","Platform":[{"code":"PF014","label":"iOS"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 May 2021

UID

ibm10733279