Apple devices that are managed by Vexluna communicate directly with Vexluna servers to retrieve their configuration data. However, in order to nudge a device to check in to retrieve new data, Vexluna must send a push notification to the device using Apple's Push Notification Service (APNs).
To authenticate with the Apple Push Notification Service, Vexluna requires a certificate issued by Apple. Apple policy requires that device owners issue their own certificates; Vexluna cannot do it on your behalf.
You will need to renew your Apple Push Certificate yearly using the same Apple Account each time.
We highly recommend that you use a Managed Apple Account created in Apple Business Manager or Apple School Manager for this purpose. If the person who controls the Apple Account used to issue your Apple Push Certificate leaves your organization, someone else will need to access this account to renew your Push Certificate. Using Apple Business Manager, you can reset passwords and remove multi-factor authentication phone numbers if needed.
Keep track of which account was used to create your Apple Push Certificate. If you use a Managed Apple Account, make sure that you don't delete the account if the associated user leaves your organization!
Creating Your Apple Push Certificate
Only one Apple Push Certificate is required per Vexluna organization account. The same certificate can be used to manage all types of Apple devices.
Decide on which Apple Account you're going to use to create your certificate. This same Apple Account must be used yearly to renew the certificate. We highly recommend that you use a Managed Apple Account created through Apple Business Manager or Apple School Manager to ensure that you maintain access to the account for renewal.
Open the Device Enrollment page and click on the iOS, macOS, or Apple TV tab (the same certificate is used for all Apple platforms)
At the top of the page, you'll see the Apple Push Certificate info card. If this card says Setup Required, then you need to create your push certificate for the first time. Otherwise, see Renewing Your Apple Push Certificate.
Click on the Setup button. The Apple Push Certificate page will open.
Download your Vendor-Signed Certificate Signing Request using the Download CSR button.
Open the Apple Push Certificates Portal and sign in using the Apple Account you've decided to use for your certificate.
Click on Create a Certificate, read and accept the Apple terms and conditions, then browse to the CSR file you downloaded from Vexluna in step 5.
The Notes box is for your own reference. You may leave it blank or enter anything you want here.
Click on Upload. If everything goes well, Apple will issue a certificate and you can then download it.
Return to the Device Enrollment page in Vexluna. Enter the email address of the Apple Account you used to create the certificate. This is for your own reference, to help you keep track of which account you need to use for renewals.
Browse to the certificate file you downloaded from the Apple Push Certificates Portal, then click the Upload button to submit the certificate to Vexluna.
If everything worked, the Vexluna page will update to reflect your newly uploaded certificate's information.
Renewing Your Apple Push Certificate
Open the Device Enrollment page and click on the iOS, macOS, or Apple TV tab (the same certificate is used for all Apple platforms)
At the top of the page, you'll see the Apple Push Certificate info card. If this card says Setup Required, then you need to create your push certificate for the first time and you should refer to Creating Your Apple Push Certificate above.
Click on the Manage button. The Apple Push Certificate page will open.
Download your Vendor-Signed Certificate Signing Request using the Download CSR button.
Open the Apple Push Certificates Portal and sign in using the Apple Account you've decided to use for your certificate.
Locate the certificate you need to renew in the portal. Normally, you would only have one certificate for Vexluna LLC listed here.
In case you have multiple certificates listed, click on the info icon next to the Renew button to open the certificate details popup.
Under Subject DN, find UID= and take note of the text that follows it.
In the Vexluna Apple Push Certificate page, locate the UID text listed at the top of the page. Match this text with the text listed in the portal to find the correct certificate.
Click on Renew next to the correct certificate, then browse to the CSR file you downloaded from Vexluna in step 4.
The Notes box is for your own reference. You may leave it blank or enter anything you want here.
Click on Upload. If everything goes well, Apple will issue a renewed certificate and you can then download it.
Return to the Device Enrollment page in Vexluna. Browse to the certificate file you downloaded from the Apple Push Certificates Portal, then click the Upload button to submit the certificate to Vexluna.
If everything worked, the Vexluna page will update to reflect your newly uploaded certificate's information.
If Your Certificate Is Revoked or Can't Be Renewed
It's vitally important that you renew your Apple Push Certificate each year before it expires. There's no downside to renewing it early, but bear in mind that the new expiration date is set to 1 year from the time of issuance, not 1 year from the time of the previous certificate's expiration.
If your Apple Push Certificate is revoked or expires, Vexluna loses the ability to contact your managed devices and it becomes impossible to manage your devices through Vexluna. Uploading a renewed certificate will re-establish the management connection automatically.
If you are unable to renew your certificate (e.g. due to losing access to the Apple Account used to initially create it), all your managed devices will need to be manually re-enrolled. Simply creating a new certificate is not sufficient; you must renew the original certificate as Vexluna needs a certificate that matches the UID present in the original one.