we need to change the Apple-ID of our APNS certificte. Normally this means all devices have to be re-enrolled with the new APNS certificate - but Apple Support told me that they can transfer the APNS certificate from one Apple-ID to another and then there is no need to re-enrol the devices.
Is there anybody out there who had the same situation before and went though it?
If Apple transfers the APNS to a new Apple-ID how are the steps in Sophos Mobile (on prem) to import it? We do not want to lose the MDM capability - this is no option under no circumstances.
Thanks in advance!
Hi Christoph Pelzer
When you are replacing any existing certificate with the new certificate or with the same certificate but attached to different Apple ID, the Topic property of the certificate that you want to copy is identical to the Topic of the existing certificate. If you copy the wrong certificate, you might need to re-enroll all iOS and macOS devices.
You'll also see the below message in APNS wizard while replacing the existing certificate, third steps which related to our scenario.
If the "Topic" property remains the same even after transferring the certificate to the new Apple ID, you should be able to continue the scenario. However, I have never tested this scenario in the labs as well. I'd recommend you to perform the test first before going with the production devices.
Jasmin Community Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
thanks for your fast and detailed answer. This looks very easy and strait-through - so I will contact Apple on Monday to transfer the certificate. I'll keep this thread updated :)
I am also excited to know how it gets done.
We'll wait for your further response on this.
Apple has successfully transferred (moved) the APNS from one Apple-ID to the other one. It looks 100% identical, even my manually added notes are there. But: before I change anything I exported the current APNS (just to be sure) for a backup. While exporting the current certificate there is a password shown for the p12 file (to import it later). I tried to import this p12 file to my own (user) certificate store via the mmc.exe on my client with the above mentioned password shown while the export processs - the password seems to be invalid!
So I decided to do nothing - can you reproduce the problem with the wrong password for the exported APNS cert?
I was successfully able to import the certificate to my local certificate store with the same password, I received from the APNs wizard while downloading the certificate.
I'd request you to recheck the password whether it is the correct password or not.
of course I did that multiple times - even copy'n paste the password. I use Sophos Mobile 9.5.6 (rev 20231) and Chrome 80.0.3987.149
The import wizard says "wrong password" every time I try....
Weird - after serveral logouts from the server and serveraly identical tries - it worked now!
another question: the wizard you mentioned offers the import only for p12 files. I can only download a .pem file from Apple - it "feels" like a normal renewal.
That .p12 file is only possible if you have already have installed the newer .pem file to any other Sophos console and from there you can download the .p12 file.
so, back to my problem with the transferred APNS certificate:
- should I upload the new .pem file I've downloaded with the new Apple - ID and use the first option in the Sophos APNs wizard "renew" (although the Appple ID has changed) or- do I have to create my own new .p12 file with the new .pem file and the old private key (that I could extract from the old .p12 file) and use option three in the certificate wizard "upload .p12 file"?
Thanks in advance,Chris
Well, the answer to option 1 (renew) is:
I tried to renew the cert and change the Apple-ID shown in the APNs wizard in Sophos. This field is read only and I can't change it. The rest of the renewal process went through without any problems - the only "issue": the Apple-ID that is shown in the renewal process (in the Sophos wizard) is the old one. But I logged into the APNS portal with the new Apple-ID and the csr was accepted. The cert is issued (renewed) and now valid for a whole year. It has the same topic and I was able to upload it into Sophos - despite the wrong Apple-ID was shown.
So, do I only have to keep in mind that the Apple-ID shown in the Sophos wizard is only a reminder (not critical) and I have to use the new Apple-ID in the future for the APNS portal or do I have to create a new .p12 file and change the Apple-ID there?
Jasmin brought this issue to my attention and requested assistance.
I wasn't aware that Apple is able to move the APNS certificate to a new Apple ID - learned something new :-)
In general the entered Apple ID is only for documentation purposes and memory aid.However, if you want to change it we have two possibilities:
Let me know what route you want to go. If you want the SQL query I can send it to you via direct message.
it was also for me new that Apple is able to move the certs. I only sent a mail to the address 'email@example.com' and requested for help. The ticket was immediately answered by a very helpful Apple Deployment Programs Support (we do not have any additional support bought at Apple...)
So, it's really easy to change the Apple-ID for an APNS certificate: let Apple move this from one ID to the other ID.
There is only a litte paperwork to be done, because Apple needs to secure that you are eligible to request such things... :)
To answer your question: please send me the SQL query, I prefer this over exporting and importing - maybe because I know how SQL works :) Then I still can decide to do nothing since (as you just explained) this is only shown as a reminder..
Many, many thanks to Jasmin and you!Chris
We are glad that we were able to help you in this scenario.
For the sake of completeness: the SQL query was submitted via a personal message.