3 Replies Latest reply on Jun 6, 2013 11:33 AM by ajbmw311

    Replace expired MDM certificate

    Pascal Lebrasseur

      I know this as been discussed previously  but i need to change our apple MDM certificate.


      i have 2 questions :


      First :

      it is said that if the certificate as exprired you'll have to upload a new one and reprovision all the devices. As stated in KB73382 i've made my CSR, posted to McAfee, got my return and gone to apple link.

      My Question is : Even if the certificate as expired Apple as allowed me to renew it(with the same topic i suppose). Does this one will work or will i have to create and entire new one (with different topic) from scratch (on apple site) ?


      Second : Before making this change is there a best practice method to backup all the system before making this change, allowing a rollback if possible ?



      Thx in advance for all your inputs


      Ce message a été modifié par: plebrasseur on 13-06-03 14:13:47 CDT
        • 1. Re: Replace expired MDM certificate

          Hi Pascal,


          first question: if you have the option to renew the existing certificate, please choose that option as opposed to going with a new certificate. That will save you the headache of having to have users reprovision iOS devices. be sure to test the certificate for communication with apple servers first by installing the deployment helper tool and verifying the certificate passes the apple connection test.


          second question: The easiest way is to simply make a backup of the EMM database in SQL before making any changes. If things do not work as planned, you can simply stop IIS (run a "iisreset -stop" from a command prompt)  then restore the DB backup, and restart IIS (IISRESET -Start).  You should not have to re-install the software or anything like that, but additional information regarding Disaster Recovery options can be found in KB73237.





          • 2. Re: Replace expired MDM certificate
            Pascal Lebrasseur

            Hi aj,


            thx a lot for the fast, clear and precise response. This will help me a lot. I liked the idea of using the deployemnt helper for testing purpose.

            However after a bit of testing i wasn't able to obtain a communication between apple and our server. I've tried 2 scenario starting with the PLIST obtained from McAfee.


            1st renew the actual

            2nd create new .pem and complete


            Those 2 scenarios gave me the same .PFX (identical topics) and failed to connect to apple.


            Open to ideas here..........     :-)

            • 3. Re: Replace expired MDM certificate

              Hi Pascal,


              Are you running the deployment helper from the EMM DMZ server or whichever server has the push notifier installed? That would be the server to do it on since it probably has all the firewall rules allowed already in the firewall for connecting to apple servers, etc. If you are running the Deployment helper on that server and that is where it's failing, the deployment helper will usually generate a very detailed report (text file) that will tell you why Apple servers are rejecting the connection/certificate or if the connection to the apple servers is even successful.


              You can paste the results of the deployment helper here or for a faster response you could also open a case with support.