Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.

APNS Certificate change of Apple-ID

Hi there,

we need to change the Apple-ID of our APNS certificte. Normally this means all devices have to be re-enrolled with the new APNS certificate - but Apple Support told me that they can transfer the APNS certificate from one Apple-ID to another and then there is no need to re-enrol the devices.

Is there anybody out there who had the same situation before and went though it?

If Apple transfers the APNS to a new Apple-ID how are the steps in Sophos Mobile (on prem) to import it? We do not want to lose the MDM capability - this is no option under no circumstances.

Thanks in advance!

Chris

  • Hi  

    When you are replacing any existing certificate with the new certificate or with the same certificate but attached to different Apple ID, the Topic property of the certificate that you want to copy is identical to the Topic of the existing certificate. If you copy the wrong certificate, you might need to re-enroll all iOS and macOS devices. 

    You'll also see the below message in APNS wizard while replacing the existing certificate, third steps which related to our scenario.

    If the "Topic" property remains the same even after transferring the certificate to the new Apple ID, you should be able to continue the scenario. However, I have never tested this scenario in the labs as well. I'd recommend you to perform the test first before going with the production devices.

  • In reply to Jasmin:

    Hi Jasmin,

    thanks for your fast and detailed answer. This looks very easy and strait-through - so I will contact Apple on Monday to transfer the certificate. I'll keep this thread updated :)

    Chris

  • In reply to Christoph Pelzer:

    Hi  

    I am also excited to know how it gets done. 

    We'll wait for your further response on this.

  • In reply to Jasmin:

    Hi  

    Apple has successfully transferred (moved) the APNS from one Apple-ID to the other one. It looks 100% identical, even my manually added notes are there. But: before I change anything I exported the current APNS (just to be sure) for a backup. While exporting the current certificate there is a password shown for the p12 file (to import it later). I tried to import this p12 file to my own (user) certificate store via the mmc.exe on my client with the above mentioned password shown while the export processs - the password seems to be invalid!

    So I decided to do nothing - can you reproduce the problem with the wrong password for the exported APNS cert?

    BR
    Chris

  • In reply to Christoph Pelzer:

    Hi  

    I was successfully able to import the certificate to my local certificate store with the same password, I received from the APNs wizard while downloading the certificate.

    I'd request you to recheck the password whether it is the correct password or not.

  • In reply to Jasmin:

    Hi  

    of course I did that multiple times - even copy'n paste the password. I use Sophos Mobile 9.5.6 (rev 20231) and Chrome 80.0.3987.149

    The import wizard says "wrong password" every time I try....

     

    EDIT:

    Weird - after serveral logouts from the server and serveraly identical tries - it worked now!

  • In reply to Christoph Pelzer:

    another question: the wizard you mentioned offers the import only for p12 files. I can only download a .pem file from Apple - it "feels" like a normal renewal. 

  • In reply to Christoph Pelzer:

    Hi  

    That .p12 file is only possible if you have already have installed the newer .pem file to any other Sophos console and from there you can download the .p12 file.

  • In reply to Jasmin:

    Hi  

    so, back to my problem with the transferred APNS certificate:

    - should I upload the new .pem file I've downloaded with the new Apple - ID and use the first option in the Sophos APNs wizard "renew" (although the Appple ID has changed) or
    - do I have to create my own new .p12 file with the new .pem file and the old private key (that I could extract from the old .p12 file) and use option three in the certificate wizard "upload .p12 file"?

    Thanks in advance,
    Chris

  • In reply to Christoph Pelzer:

    Well, the answer to option 1 (renew) is:

    I tried to renew the cert and change the Apple-ID shown in the APNs wizard in Sophos. This field is read only and I can't change it. The rest of the renewal process went through without any problems - the only "issue": the Apple-ID that is shown in the renewal process (in the Sophos wizard) is the old one. But I logged into the APNS portal with the new Apple-ID and the csr was accepted. The cert is issued (renewed) and now valid for a whole year. It has the same topic and I was able to upload it into Sophos - despite the wrong Apple-ID was shown.

    So, do I only have to keep in mind that the Apple-ID shown in the Sophos wizard is only a reminder (not critical) and I have to use the new Apple-ID in the future for the APNS portal or do I have to create a new .p12 file and change the Apple-ID there?

  • In reply to Christoph Pelzer:

    Hi Christoph,

    Jasmin brought this issue to my attention and requested assistance.

    I wasn't aware that Apple is able to move the APNS certificate to a new Apple ID - learned something new :-)

    In general the entered Apple ID is only for documentation purposes and memory aid.
    However, if you want to change it we have two possibilities:

    1. You use the following procedure
      1. Within the APNS tab, use the “download” option to download the current APNS certificate.
      2. As mentioned, take a note of the password
      3. Run the APNS Certificate Wizard
      4. Select the third option “Upload an apns_cert.p12 certificate file you’ve downloaded from another Sophos Mobile customer or installation…”
      5. Change the Apple ID (this value CAN be changed)
      6. Upload the certificate downloaded before
      7. Save the change
    2. You change the Apple ID directly within the database using a SQL query which I can provide you.

    Let me know what route you want to go. If you want the SQL query I can send it to you via direct message.

    Best regards

    Stefan

  • In reply to SDU:

    Hi Stefan,

    it was also for me new that Apple is able to move the certs. I only sent a mail to the address 'apns_programs@apple.com' and requested for help. The ticket was immediately answered by a very helpful Apple Deployment Programs Support (we do not have any additional support bought at Apple...)

    So, it's really easy to change the Apple-ID for an APNS certificate: let Apple move this from one ID to the other ID.

    There is only a litte paperwork to be done, because Apple needs to secure that you are eligible to request such things... :)

     

    To answer your question: please send me the SQL query, I prefer this over exporting and importing - maybe because I know how SQL works :) Then I still can decide to do nothing since (as you just explained) this is only shown as a reminder..

     

    Many, many thanks to  and you!
    Chris

  • In reply to Christoph Pelzer:

    Hi  

    We are glad that we were able to help you in this scenario. 

  • In reply to Jasmin:

    For the sake of completeness: the SQL query was submitted via a personal message.