When you are planning the deploy Citrix XenMobile MDM (Mobile Device Manager) and what’s to enrol and manage iOS devices, you need an APNS (Apple Push Notification Service) certificate. It is very simple to get an APNS certificate (for free) and you only need a Microsoft Server with the Internet Information Services (IIS) role installed on it, and an Apple ID. To obtain the APNS certificate follow these four little steps.
Step 1 : Create a Certificate Signing Request (CSR) file with Microsoft IIS
Login to a Windows Server where IIS is installed on and open the Internet Information Services (IIS) Manager.
Within the IIS console, on the left side, select the server name. On the right side, double click Server Certificates
On the left side, click on Create Certificate Request
Fill in the requested information and click Next
Select Microsoft RSA SChannel Cryptographic Provider as Cryptographic service provider and 2048 as Bit length.
Click Next
Save the file as an .txt file and click Finish
Step 2 : Sign the Certificate Request file by Citrix
The next step is to sign the Certificate Request file by Citrix, therefor login with your My Citrix account at the following website:
Step 3: Submit the signed .plist file to Apple
After receiving the .plist file from Citrix, it’s time to submit it to Apple to get the APNS certificate.
Open a browser and go to the Apple Push Certification Portal: https://identity.apple.com/pushcert (if for some reason the site is not working, first go to http://developer.apple.com/devcenter/ios/index.action, logon and then reopen the Apple Push Certification Portal).
Fill in the sign in information of an Apple ID. NOTE: Use a company Apple ID (registered with a common company email address for general use, for example administrator@domain.com or servicedesk@domain.com). Once the APNS certificate is created with this account it is not transferable to another Apple ID, it has to be renewed every year with the same Apple ID!
Click on Create a Certificate
Select I have read and agree to these terms and conditions and click Accept
Optionally you can add a note, this can be helpful if you manage multiple APNS certificates, I always fill in the external hostname.
Click Choose file, select the .plist and click Upload
Click on Download. You now get a .pem certificate file.
Step 4: Convert the .pem file to .p12 format
In the final step we must generate a .p12 file with Microsoft Internet Information server (IIS). Login to a Windows Server where IIS is installed on and open the Internet Information Services (IIS) Manager.
Within the IIS console, on the left side, select the server name. On the right side, double click Server Certificates
Click on Complete Certificate Request
Browse to the .pem file and fill in a Friendly name. Click OK
Select the certificate and on the right side click Export
Select a location where to save the file to and give it a name (.pfx). Fill in a Password. This password is needed when importing this APNS certificate in the XenMobile Mobile Device Manager.
Renew the APNS certificate
By default an APNS certificate is valid for one year, after that it has to be renewed. To renew the APNS you have to go through all the four steps, but when submitting the certificate to Apple you need to choose for the option renew. It’s important that the certificate will be renewed with the same Apple ID as it was created. Keep in mind that if you use a different Apple ID or choose for the option to create a new certificate with the same Apple ID instead of renew. All devices currently enrolled with XenMobile MDM needs to be re-enrolled! So beware of that, always choose for the option renew.
[…] an Apple Push Notification service […]
Excellent post on the tricky subject of APNS and XenMobile, Robin. Plain and simple. I enjoy reading your blog, my friend!
Thanks Konstantin!
Hi Robin
How do I pass a APNS certificate from one appleID to another appleID, so I can keep on renewing it enery year?
Glen
Hi Glen, unfortunately that is not possible. Therefore always use a generic company account for this. (for example admin@company.com or servicedesk@company.com )
http://blogs.citrix.com/2014/10/07/xenmobile-apns-csr-signing-portal-is-now-live/
Good to mention this link, thanks!
Thank you very much Robin. On site currently rolling out MDM and your guide was just perfect 🙂
Good to hear, thanks!
Hi Robin, Great article!
The step of having Citrix to sign the CSR has changed. You can now use this linkhttps://xenmobiletools.citrix.com/APNSCertGateKeeper-1.0/csr/ . Might be good to update this in your article.
Regards,
Barry
Hi Barry, true! Updated right away 🙂
Many thanks for this great article,
Helped me to easily create new APNS certificates and renew the existing ones I’d implemented.
Congrats, you made it into the official Citrix Exam Prep guide 🙂
Thanks for letting me know!
[…] How to get an APNS (Apple Push Notification Service) certificate for use with XenMobile MDM […]