APNS Push Certificates

Overview #

To communicate with Apple devices via MDM, Relution requires a signed APNS push certificate → (Apple Push Notification service). This certificate is linked to an Apple ID and must be renewed before it expires.
If a certificate expires, all enrolled Apple devices lose their MDM connection and must be re-enrolled.

As of Relution 26.3.0, new installations are required to provide their own APNS certificate via the Self-Service Wizard described on this page. Existing installations will continue to function with their current configuration and can migrate to the new method at their own pace.

Important: Always renew your existing certificate instead of creating a new one. If you upload a certificate with a different push topic, enrolled devices will continue using the old certificate until it expires — after that, they must be re-enrolled.

Migration from the Previous Process #

This section only applies if you have previously provided a custom APNS certificate by submitting a CSR to Relution Support. If you are setting up a new installation or have been using the Relution default certificate, skip this section.

If your Relution installation was set up prior to version 26.3.0 and you previously provided a certificate by sending a CSR to Relution Support, you must perform a one-time migration before using the Self-Service Wizard.

Navigate to Settings > Organization Certificates. If a migration is available for your organization, you will see an information box with a button labeled Migrate old APNS certificate. Click it.

The migration is instantaneous and safe: it has no impact on enrolled devices or ongoing MDM communication. It simply updates how your certificate is stored internally within Relution. After the migration, you can use the Self-Service Wizard for all future certificate renewals.

Setting Up or Renewing a Certificate #

Navigate to Settings > Organization Certificates and click Start in the APNS section.

This opens the APNS Certificate Wizard.

1. Download Signed CSR #

Relution automatically generates and signs a Certificate Signing Request (CSR) for you. Click Download to save it. Wait for the download to complete before clicking Next.

2. Upload Apple Push Certificate #

Open the Apple Push Certificates Portal and sign in with your Apple Account.

• Renewing an existing certificate: Locate your certificate in the list and click Renew. Upload the CSR file from Step 1. This preserves the push topic, so enrolled devices do not need to be re-enrolled.
• New installation: Click Create a Certificate and upload the CSR file.

Download the .pem certificate file from the Apple portal.

Note: Enter the Apple Account that generated the certificate into the free-text field.

Upload the certificate into Relution using the file uploader in this step.

The active push topic is displayed above the file uploader. Make sure you are renewing the correct certificate — the push topic of the uploaded certificate should match the one displayed.

• If the push topic matches, click Save — the wizard is complete.
• If the push topic has changed, the wizard proceeds to Step 3.

3. Confirm Certificate Change (Only in Case of Push Topic Conflict) #

This step only appears if the uploaded certificate has a different push topic than the current one. This can happen if a new certificate was created instead of renewing the existing one, or if a different Apple ID was used.

Note: If you are using the wizard for the first time in an organization that previously used the Relution default certificate, a push topic conflict is expected — the new certificate has a different push topic. A certificate configured on the global organization applies to all organizations; one on a meta-organization applies to all its sub-organizations. Individual organizations can override it with their own certificate. Before confirming, check which organizations inherit this setting and whether any Apple devices are enrolled in that scope. Existing devices will keep using the Relution-provided certificate — no immediate re-enrollment is required. Relution plans to retire the shared certificate in the future, but will ensure adequate migration time.

Warning: Changing the push topic affects enrolled Apple devices in the affected organization:

• If you are transitioning from the Relution-provided certificate to your own: Existing devices will keep using the Relution-provided certificate — no immediate re-enrollment is required. Relution plans to retire the shared certificate in the future, but will ensure adequate migration time.
• If you are replacing your existing certificate with a different one: Enrolled devices will continue using the old certificate until it expires. Once it expires, they will lose MDM communication and must be re-enrolled.

The wizard displays the old and new push topics. To confirm the change:

1. Check the Yes, I want to update the certificate checkbox to confirm.

Click Save to apply the change.

Certificate Expiration and Renewal #

The Organization Certificates page displays the expiration date of the active certificate. Relution will warn you as the expiration date approaches.

Renew the certificate before it expires. If you miss the deadline:

• All enrolled Apple devices instantly lose their MDM connection.
• Devices must be re-enrolled after the renewed certificate is uploaded.

Notes #

• Always use the same Apple ID when renewing a certificate. Using a different Apple ID creates a new push topic and requires a full re-enrollment of all devices.

• Always renew your existing certificate instead of creating a new one. If you upload a certificate with a different push topic, enrolled devices will continue using the old certificate until it expires — after that, they must be re-enrolled.

• If a certificate expires, all enrolled Apple devices lose their MDM connection and must be re-enrolled.