08/17/20: Post updated with latest links on APNs certificate renewal.
I subscribed to the knowledge base articles within the VMware Workspace ONE customer portal, and the one below flew into my inbox a few weeks ago.
Updating Certificates for Workspace ONE UEM Services (last modified on 08/19/19)
Hopefully, you or someone at your team take a proactive approach and renew various certificates used in your Workspace ONE UEM environment well before they expire. Failure to do so can have serious consequences (i.e. unexpected phone call from your boss or worse your CEO.)
There are several places where the certificates are used and expire. I will cover some of them here as I don’t use all the ones listed per the link above. Generally, there are three major types of certificates:
- Public SSL Certificates
- Signing Certificate
- APNS Certificate
Public SSL Certificates
Update for the console server, device services server, application programming interface server
Perform an IIS reset. Afterward, navigate to your console URL and verify the certificate matches with the new one.
Within the web console, browse to GROUPS & SETTINGS -> All settings -> Devices & Users -> Apple -> Profiles. Click REPLACE and follow the steps accordingly.
As noted in the VMware Workspace ONE documentation, devices that were already enrolled with the expired certificate will simply show Not Verified. However, there’s no impact on functionality. Additional info can be found via this link: Signing Certificates
Be sure not to confuse APNs for applications with APNs for MDM. The later is required to manage iOS with any MDM solution.
I also came across the VMware KB below which explains the importance of renewing this certificate well before it expires.
Common symptoms that indicate the Apple Push Notification service (APNs) certificate has expired
For steps to renew APNs for applications, check out my other post here.
There are some Dos and Don’ts you must keep in mind:
- DO renew with the same Apple ID
- DO renew the same certificate originally uploaded in the console
- DO renew the certificate before it expires. Otherwise, a new one must be generated and that means devices that were already enrolled must be re-enrolled to become managed!
- DO keep the tab of the console open where the plist file is generated
- DO return to the same tab of the console where the plist file is generated to renew
- DON’T generate a new APNs certificate from scratch! Otherwise, devices that were already enrolled must be re-enrolled to become managed!
- Check out this community post on how you can get around it if by mistake a new one was in fact generated.
- DON’T renew with the wrong APNs certificate
- DON’T open a new tab of the console to renew the APNs certificate
To renew APNs for MDM, go to GROUPS & SETTINGS -> All Settings -> Settings -> Devices & Users -> Apple -> APNs For MDM. Then, click RENEW and follow the prompts accordingly. VMware also has an excellent KB on all the steps required.
If you run into any issue, check to see if your firewall might be blocking the communication such as the link below from the VMware community forum:
Trying to renew my Apple APN for MDM cert, when I click renew I get an “Error has occurred during the generation of Certificate Request” error.
The same VMware KB was updated on 08/17/20 to include a known issue you may encounter. This other VMware KB was also updated on 08/17/20 which shows the importance of handling this renewal properly.
If you happen to be using a public SSL cert for your AirWatch Cloud Messaging (AWCM), check out the steps outlined in this thread. I’ve included screenshots from it in case the post is ever removed.