Most of the time it seems like magic that Apple devices ‘just work’. However, there is one fundamental service that makes this happen – the Apple Push Notification Service. This is a set of services that Apple use (and that Apple devices leverage) to communicate with MDM, App Store, Email infrastructure etc.

The part that Mobility Administrators need to do to utilise this in Workspace ONE is generate their own Apple Push Notification Services certificate to secure traffic and communicate with Apple.

It essentially allows the entire mobility infrastructure to communicate freely in a “push” fashion rather than on-demand or schedule.

Now the important part here is that this certificate needs to be renewed every 12 months. I say important because if you don’t renew it and let it expire, you have to reenroll every Apple device (manually) for them to function properly again.

Enough chit-chat, lets generate an APNs certificate and upload it to the Workspace ONE UEM Console.

The first thing you need is an AppleID. I recommend creating a new one specifically for this purpose, maybe even have the email address linked to a distribution list for your administrators to notify them of expiration.

If you don’t have one created, you can go to and create a new one.

Now, you can go to your Workspace ONE UEM tenant.

Go to Settings -> Devices & Users -> Apple -> APNs For MDM and then GENERATE NEW CERTIFICATE

 Now you need to download the Certificate Request .plist file. You will be redirected the Apple Push Notifications Certificate Portal by clicking on the GO TO APPLE button.


Sign in to the Apple Push Certificates Portal with the AppleID you created for this purpose.

Click on Create a Certificate

Accept the Terms of Use (or not, who am I? Your Dad? 🙂 )

Now, in the Notes sectionI strongly recommend putting in some good information about where you are going to use this certificate. Its much easier to renew the RIGHT certificate this way! (don’t ask how I know…)

You’ll also see the option to upload a file. This where you up the .plist file you downloaded from the Workspace ONE UEM Console.

Once you’ve uploaded this file you’ll get a success message where you can download the certificate.

Now we need to go back to our Workspace ONE UEM Console and upload the .pem certificate we just downloaded.

Click Next, then upload the .pem file and enter the AppleID that you used. This is where the Workspace ONE Console will send expiry notifications to.

Click Save (and enter your Security PIN) and then you’re done!