topic Re: Push Certificate non Compiant in Endpoint Security

Push Certificate non Compiant

SimonA11 — Wed, 26 Feb 2020 21:15:09 GMT

Hello,

A little while ago, a whole lot of our iPads receive an non-compliant push certificate message. While I can fix this, is there a way around this without wiping the device?

Re: Push Certificate non Compiant

BrechtSchamp — Wed, 26 Feb 2020 21:29:41 GMT

Did your push certificate expire?

https://documentation.meraki.com/SM/Device_Enrollment/Apple_MDM_Push_Certificate

Re: Push Certificate non Compiant

SimonA11 — Wed, 26 Feb 2020 21:42:00 GMT

The certificate expired about a month ago. Clicking the Test Certificate button states that the certificate is valid.

Re: Push Certificate non Compiant

BrechtSchamp — Wed, 26 Feb 2020 21:55:30 GMT

The current certificate is probably a valid one, but that doesn't mean everything is all right. I think something went wrong during the renewal. For example maybe you used a different apple id to generate the new certificate. The link I posted has some troubleshooting steps. Have a look through those to see if that helps.

Re: Push Certificate non Compiant

SimonA11 — Sun, 01 Mar 2020 23:00:32 GMT

@BrechtSchamp

I tried to renew the old certificate. That hasn't worked. Do you know if Apple keep backups of old certificates, because I don't appear to have an older copy.

Re: Push Certificate non Compiant

BrechtSchamp — Mon, 02 Mar 2020 11:06:33 GMT

Do you remember how you created your "new" certificate? If you just created it completely new, then you should still be able to download the old one if you log in to the Apple ID that created it originally. If you did renew it, with the CSR request generated by the Meraki dashboard, I'd open a ticket with Meraki support. I don't know if Apple keeps backups of the files.

Re: Push Certificate non Compiant

SimonA11 — Mon, 02 Mar 2020 23:53:43 GMT

@BrechtSchamp

I think I created it from scratch not realising that there are 2 options. I tried to renew the old certificate from identity.apple.com and update that certificate. This didn't work.

I have decided to reset the iPads from scratch. Thanks to iCloud, there won't really be any loss of data. As I can only 1 at a time through iTunes. Is there a way I could reset them in bulk? I don't think configurator would work as it would say that they are managed elsewhere.

I'm backing up the .csr, .pem and token files now, so that should help if this happens again.

Re: Push Certificate non Compiant

MikeMandalorian — Mon, 09 Mar 2020 19:23:12 GMT

Use the same Apple account that you used when you first created the token.

Re: Push Certificate non Compiant

beks88 — Mon, 09 Mar 2020 21:26:13 GMT

You can wipe the devices through Apple Configurator 2 when putting them to DFU.

Not sure if it also works if you mark all iPads, right mouse click and than say "factory reset"

We are wiping daily over 50 iOS devices managed and unmanaged. DFU always works 🙂

Re: Push Certificate non Compiant

SimonA11 — Tue, 10 Mar 2020 02:36:19 GMT

@beks88 Great. It might try the DFU mode as we also run Apple Configurator 2. However, it seems that you can only put 1 device at a time into DFU mode. Do you know if it's possible to put a stack (approx 5) into DFU mode at the same time?

Re: Push Certificate non Compiant

beks88 — Tue, 10 Mar 2020 22:51:12 GMT

"Do you know if it's possible to put a stack (approx 5) into DFU mode at the same time?" - What do you mean exactly?

You have to touch every device and put it into DFU. After that u can update/reset all 5 (using a hub) at the same time with AC2.

We use a ten port hub with external power and are able to update/reset all devices at same time.

Re: Push Certificate non Compiant

SimonA11 — Tue, 10 Mar 2020 23:03:34 GMT

@beks88 Sorry if that was confusing. I'll re-phrase it.

If I put an iPad in DFU mode using iTunes, can I then unplug the iPad (before restoring it), and connect it to my hub with AC2? Then, when I have a stack ready to go, reset that stack of iPads?

Re: Push Certificate non Compiant

beks88 — Wed, 11 Mar 2020 07:43:29 GMT

Why not connecting all iPads to the hub, starting AC2 and put one by one into DFU while they are connected to the Mac running AC2?

For DFU you have to use the hardware keys on the device. There is no way to put a device into DFU through iTunes. iTunes will just recognize the device is in DFU like AC2 will. But with AC2 you can update/restore more devices at the same time so you save yourself some time.

Re: Push Certificate non Compiant

SimonA11 — Mon, 06 Apr 2020 00:33:09 GMT

@beks88 @MikeMandalorian @BrechtSchamp

Thanks. DFU mode seems to be working for resetting a stack through Apple Configurator 2. They seem to connect back into Meraki quite well after that.

However, after resetting the devices, they are all activation locking with my apple ID. This seems to happen if I wipe the iPad in either iTunes or Apple Configurator 2.

Re: Push Certificate non Compiant

beks88 — Mon, 06 Apr 2020 07:20:31 GMT

@SimonA11 This could be also the Apple ID you are using for Apple Business Manager.

You can try clearing the activation lock in bulk through Dashboard. Check this post from @Kevin_C1

https://community.meraki.com/t5/Endpoint-Management-Systems/Activation-Locked-iPads/m-p/49665/highlight/true#M4827