In order to utilise MDM solutions such as Jamf Pro, an Apple Push Notification Service (APNS) certificate is require. This is created through the use of an Apple ID.
Although an APNS certificate is free to obtain, there are a number of considerations that must be understood in its use. Failure to adhere to these will require devices to be re-enrolled (and in some cases, necessitating a full erase and re-enrolment of the device):
- An APNS certificate lasts a year
- An APNS certificate must be renewed before it expires each year. It can be renewed early (even daily) but must be renewed before it expires.
- An APNS certificate must be renewed with the exact same Apple ID it was created with.
In light of the above considerations, we would strongly suggest the below steps are followed to create an Apple ID for APNS usage:
- Create an email alias or distribution group called "apns@[your domain]". This will allow you to move the Apple ID easier if the responsible person / team leaves or is reassigned.
- Use a strong password and strong recovery questions, and store these in a safe and secure place.
- If setting up 2 Factor Authentication on this Apple ID, add more than 1 device that can receive the authentication codes.
- Do not use this Apple ID for other purposes and do not log this Apple ID into iTunes, App Stores or iCloud
- APNS Certificate expiry reminders will go to the Apple ID email address set in requirement 1. Link this to a ticketing system to receive automated alerts at 30 days, 7 days and every other day up to the expiry.
- Attempt to renew the certificate at the 30-day alert to give you the maximum time to re-arrange access if an issue is found.
- User https://appleid.apple.com to create your APNS Apple ID without requiring payment details
If you require Apple support for your APNS certificate (including the possibility of regaining access if you lose control of the Apple ID that was used to generate the push certificate), there is a special KB detailing your options. This can be found here.