To enroll and manage Apple devices in Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple.
- The APNs certificate from Apple enables mobile device management via the Apple Push Network. If you accidentally or intentionally revoke the certificate, you lose the ability to manage your devices.
- If you used the iOS Developer Enterprise Program to create a mobile device manager push certificate: Be sure to handle any actions for the migrated certificates in the Apple Push Certificates Portal.
The topics that outline the step-by-step procedures are listed in order in this section. Here’s a summary of the process.
Step 1: For Windows, generate a Certificate Signing Request (CSR) by using Microsoft IIS. For Mac, generate a CSR on a Mac computer. Citrix recommends this method.
Step 2: Submit the CSR to Citrix. Citrix signs the CSR with its mobile device management signing certificate and returns the signed file in a
Step 3: Submit the signed CSR to Apple and then download the APNs certificate from Apple.
Step 4: Export the APNs certificate as a PCKS #12 (.pfx) certificate (on IIS, Mac, or SSL).
Step 5: Import an APNs certificate into Endpoint Management.
Note the Apple ID used to create the certificate. In addition, the Apple ID must be a corporate ID and not a personal ID.
To create a CSR by using Microsoft IIS
The first step for generating an APNs certificate request is to create a Certificate Signing Request (CSR). For Windows, generate a CSR by using Microsoft IIS.
- Open Microsoft IIS.
- Double-click the Server Certificates icon for IIS.
- In the Server Certificates window, click Create Certificate Request.
- Type the appropriate Distinguished Name (DN) information and then click Next.
- Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length and then click Next.
- Enter a file name and specify a location to save the CSR and then click Finish.
To create a CSR on a Mac computer
- On a Mac computer running macOS, under Applications > Utilities, start the Keychain Access application.
- Open the Keychain Access menu and then click Certificate Assistant > Request a Certificate From a Certificate Authority.
- The Certificate Assistant prompts you to enter the following information:
- Email Address: Email address of the individual or role account who is responsible for managing the certificate.
- Common Name: Common name of the individual or a role account who is responsible for managing the certificate.
- CA Email Address: Email address of the Certificate Authority.
- Select the Saved to disk and Let me specify key pair information options and then click Continue.
- Enter a name for the CSR file, save the file on your computer, and then click Save.
- Specify the key pair information: Select the Key Size of 2048 bits and the RSA algorithm and then click Continue. The CSR file is ready for you to upload as part of the APNs certificate process.
- Click Done when the Certificate Assistant completes the CSR process.
To create a CSR by using OpenSSL
If you cannot use a Mac computer or Microsoft IIS to generate a CSR: You can use OpenSSL instead.
To use OpenSSL to create a CSR, first download and install OpenSSL from the OpenSSL website.
On the computer where you installed OpenSSL, execute the following command from a command prompt or shell.
openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048
The following message for certificate naming information appears. Enter the information as requested.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) :RWC Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer Organizational Unit Name (eg, section) [:Marketing Common Name (eg, YOUR name) :John Doe Email Address :firstname.lastname@example.org
At the next message, enter a password for the CSR private key.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
To sign the CSR
Before you can submit the certificate to Apple, submit the certificate to Citrix for signing so it can be used with Endpoint Management.
In your browser, go to the Endpoint Management Tools website and then click Request push notification certificate signature.
On the Creating a new certificate page, click Upload the CSR.
Browse to and select the certificate.
The certificate must be in .pem/txt format.
On the Endpoint Management APNs CSR Signing page, click Sign. The CSR is signed and automatically saved to your configured download folder.
To submit the signed CSR to Apple to obtain the APNs certificate
After receiving your signed Certificate Signing Request (CSR) from Citrix, submit it to Apple to obtain the APNs certificate.
Some users have reported problems logging into the Apple Push Portal. As an alternative, you can log on to the Apple Developer Portal. You can then follow these steps.
In a browser, go to the Apple Push Certificates Portal.
Click Create a Certificate.
The first time that you create a certificate with Apple: Select the I have read and agree to these terms and conditions check box and then click Accept.
Click Choose File, browse to the signed CSR on your computer, and then click Upload. A confirmation message indicates that the upload is successful.
Click Download to retrieve the .pem certificate.
If you use Internet Explorer and the file name extension is missing, click Cancel two times. Then download from the next window.
To create a .pfx APNs certificate by using Microsoft IIS
To use the APNs certificate from Apple with Endpoint Management: Complete the certificate request in Microsoft IIS, export the certificate as a PCKS #12 (.pfx) file, and then import the APNs certificate into Endpoint Management.
Use the same IIS server for this task as the server you used to generate the CSR.
Open Microsoft IIS.
Click the Server Certificates icon.
In the Server Certificates window, click Complete Certificate Request.
Browse to the Certificate.pem file from Apple. Then, type a friendly name or the certificate name and click OK. Don’t include space characters in the name.
Select the certificate that you identified in Step 4 and then click Export.
Specify a location and file name for the .pfx certificate and a password and then click OK.
You need the password for the certificate during Endpoint Management installation.
Copy the .pfx certificate to the server on which you plan to install Endpoint Management.
Sign on to the Endpoint Management console as an administrator.
In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
Click Certificates. The Certificates page appears.
Click Import. The Import dialog box appears.
From the Import menu, choose Keystore.
From Use as, choose APNs.
In Keystore file, select the keystore file you want to import by clicking Browse and navigating to the file’s location.
In Password, type the password assigned to the certificate.
To create a .pfx APNs certificate on a Mac computer
A .p12 file and .pfx file are the same and can be used interchangeably.
On the same Mac computer running macOS that you used to generate the CSR, locate the Production identity (.pem) certificate that you received from Apple.
Start the Keychain Access application and navigate to the Login > My Certificates tab. Drag and then drop the Product identity certificate onto the open window.
Click the certificate and expand the left arrow to verify that the certificate includes an associate private key. Right-click the private key and select Export 2 items to begin exporting the certificate into a PCKS #12 (.pfx) certificate.
Give the certificate file a unique name for use with the Endpoint Management server. Don’t include space characters in the name. Then, choose a folder location for the saved certificate, select the .pfx file format, and click Save.
Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.
The Keychain Access application prompts you for the login password or selected keychain. Enter the password and then click OK. The saved certificate is now ready for use with the Endpoint Management server.
If you don’t plan to keep the computer and user account that you used to generate the CSR and complete the export process: Citrix recommends that you save or export the Personal and Public Keys from the local system. Otherwise, access to the APNs certificates for reuse is voided and you must then repeat the entire CSR and APNs process.
To create a .pfx APNs certificate by using OpenSSL
After you use OpenSSL to create a Certificate Signing Request (CSR), you can also use OpenSSL to create a .pfx APNs certificate.
At a command prompt or shell, execute the following command.
Customer.privatekey.pemis the private key from your CSR.
APNs_Certificate.pemis the certificate that you just received from Apple.
openssl pkcs12 -export -in APNs_Certificate.pem -inkey Customer.privatekey.pem -out apns_identity.pfx
Enter a password for the .pfx certificate file. Remember this password because you use the password again when you upload the certificate to Endpoint Management.
Note the location for the .pfx certificate file. Then, copy the file to the Endpoint Management server so you can use the console to upload the file.
To import an APNs certificate into Endpoint Management
After you request and receive a new APNs certificate: Import the APNs certificate into Endpoint Management to either add the certificate for the first time or to replace a certificate.
- In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
- Click Certificates. The Certificates page appears.
- Click Import. The Import dialog box appears.
- From the Import menu, choose Keystore.
- From Use as, choose APNs.
- Browse to the .pfx or .p12 file on your computer.
- Enter a password and then click Import.
For more information about certificates in Endpoint Management, see Certificates and authentication.
To renew an APNs certificate
To renew an APNs certificate, perform the same steps you would if you were creating a certificate. Then, see the Apple Push Certificates Portal. From that page, upload the new certificate. After logging on, your existing certificate or a certificate imported from your previous Apple Developers account appears.
On the Certificates Portal, the only difference when renewing the certificate is that you click Renew. You must have a developer account with the Certificates Portal to access the site. When you are renewing your certificate, ensure that you use the same organization name and Apple ID.
To determine when your APNs certificate expires, in the Endpoint Management console, click Configure > Settings > Certificates. If the certificate is expired, however, do not revoke the certificate.
Do not use an Internet Explorer browser, or else step 7 outputs a .json file instead of a .pem file.
- Generate a CSR, using IIS (Microsoft), OpenSSL, or Keychain Access (macOS).
In your browser, go to Endpoint Management Tools. Then, click Request push notification certificate signature.
Click + Upload the CSR.
- In the dialog box, navigate to the CSR, click Open, and click Sign.
- When you receive a
.plistfile, save it.
- In the step 3 title, click Apple Push Certificates Portal and sign on.
- Select the certificate that you want to renew and then click Renew.
- Upload the
.plistfile. You receive a .pem file as the output. Save the .pem file.
- Using that .pem file, complete the CSR (according to the method you used to create the CSR in Step 1).
- Export the certificate as a .pfx file.
In the Endpoint Management console, import the .pfx file and complete the configuration as follows:
Go to Settings > Certificate Management.
- On the Certificates page, click Import.
- From the Import menu, choose Keystore.
- From the Keystore type menu, choose PKCS #12.
From Use as, choose APNs.
- For Keystore file, click Browse and navigate to the file.
- In Password, type the certificate password.
- Type an optional Description.
- Click Import.
Endpoint Management redirects you back to the Certificates page. The Name, Status, Valid from, and Valid to fields update.
If you use a different Apple ID for the renewal process, devices need to be re-enrolled.
In this article
- To create a CSR by using Microsoft IIS
- To create a CSR on a Mac computer
- To create a CSR by using OpenSSL
- To sign the CSR
- To submit the signed CSR to Apple to obtain the APNs certificate
- To create a .pfx APNs certificate by using Microsoft IIS
- To create a .pfx APNs certificate on a Mac computer
- To create a .pfx APNs certificate by using OpenSSL
- To import an APNs certificate into Endpoint Management
- To renew an APNs certificate