Updating Certificates for Workspace ONE UEM Services

08/17/20: Post updated with latest links on APNs certificate renewal.

I subscribed to the knowledge base articles within the VMware Workspace ONE customer portal, and the one below flew into my inbox a few weeks ago.

Updating Certificates for Workspace ONE UEM Services (last modified on 08/19/19)

Hopefully, you or someone at your team take a proactive approach and renew various certificates used in your Workspace ONE UEM environment well before they expire. Failure to do so can have serious consequences (i.e. unexpected phone call from your boss or worse your CEO.)

There are several places where the certificates are used and expire. I will cover some of them here as I don’t use all the ones listed per the link above. Generally, there are three major types of certificates:

Public SSL Certificates

Update for the console server, device services server, application programming interface server

CertRenewal1.jpg

CertRenewal2.jpg

CertRenewal3.jpg

CertRenewal4.jpg

CertRenewal5.jpg

CertRenewal6.jpg

Perform an IIS reset. Afterward, navigate to your console URL and verify the certificate matches with the new one.

CertRenewal7.jpg

Signing Certificate

Within the web console, browse to GROUPS & SETTINGS -> All settings -> Devices & Users -> Apple -> ProfilesClick REPLACE and follow the steps accordingly.

CertRenewal8.jpg

As noted in the VMware Workspace ONE documentation, devices that were already enrolled with the expired certificate will simply show Not Verified. However, there’s no impact on functionality. Additional info can be found via this link: Signing Certificates

FW_ Profile signing certificate is showing as expi

APNS Certificate

Be sure not to confuse APNs for applications with APNs for MDM. The later is required to manage iOS with any MDM solution.

I also came across the VMware KB below which explains the importance of renewing this certificate well before it expires.

Common symptoms that indicate the Apple Push Notification service (APNs) certificate has expired

For steps to renew APNs for applications, check out my other post here.

There are some Dos and Don’ts you must keep in mind:

  • DO renew with the same Apple ID
  • DO renew the same certificate originally uploaded in the console
  • DO renew the certificate before it expires. Otherwise, a new one must be generated and that means devices that were already enrolled must be re-enrolled to become managed!
  • DO keep the tab of the console open where the plist file is generated
  • DO return to the same tab of the console where the plist file is generated to renew
  • DON’T generate a new APNs certificate from scratch! Otherwise, devices that were already enrolled must be re-enrolled to become managed!
    • Check out this community post on how you can get around it if by mistake a new one was in fact generated.
  • DON’T renew with the wrong APNs certificate
  • DON’T open a new tab of the console to renew the APNs certificate

To renew APNs for MDM, go to GROUPS & SETTINGS -> All Settings -> Settings -> Devices & Users -> Apple -> APNs For MDMThen, click RENEW and follow the prompts accordingly. VMware also has an excellent KB on all the steps required.

If you run into any issue, check to see if your firewall might be blocking the communication such as the link below from the VMware community forum:

Trying to renew my Apple APN for MDM cert, when I click renew I get an “Error has occurred during the generation of Certificate Request” error.

CertRenewal9.jpg

The same VMware KB was updated on 08/17/20 to include a known issue you may encounter. This other VMware KB was also updated on 08/17/20 which shows the importance of handling this renewal properly.

How to renew an Apple Push Notification service (A

If you happen to be using a public SSL cert for your AirWatch Cloud Messaging (AWCM), check out the steps outlined in this thread. I’ve included screenshots from it in case the post is ever removed.

easy awcm certificate update - Google Chrome 2019-.png

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.