A push certificate is an encrypted file generated by Apple that establishes trust between Jamf Pro and the Apple Push Notification service (APNs) to allow secure communication to devices enrolled with Jamf Pro.

An assistant in Jamf Pro guides you through the following steps to create a new push certificate (.pem) and upload it to Jamf Pro.

Requirements

  • A valid Jamf ID. To create a Jamf ID, go to: Jamf Account.

  • A valid Apple Account. (An institutional Apple Account is recommended.)

  1. In Jamf Pro, click Settings in the sidebar.
  2. In the Global section, click Push certificates .
  3. Click New.
  4. Choose a method for creating the push certificate:

    A CSR, or certificate signing request, is a file that generates to identify itself to APNs, which will use that request to generate the push certificate.

    • If you have the Cloud Services connection configured, select Download signed CSR from Jamf.

      Jamf Pro connects to Jamf Account securely and obtains the signed CSR.

    • If the server hosting Jamf Pro does not have an outbound connection or if the signed CSR fails to download from Jamf, select Download CSR and sign later using Jamf Account.

  5. Click Next.

    The CSR file JamfSignedCSR.plist will automatically be downloaded.

  6. If you selected Download CSR and sign later using Jamf Account, follow the onscreen instructions to sign your CSR with Jamf Account.
  7. Complete the following steps in the Apple Push Certificates Portal to create the push certificate:
    1. Either click the link provided in Jamf Pro, or open a new tab and navigate to identity.apple.com/pushcert.
    2. Sign in using your Apple Account. The Apple Account used to create the push certificate will need to be reused every year to renew the certificate.
      Best Practice:

      Jamf recommends that you use a generic, institutionally owned Apple Account rather than a personal Apple Account. If a personal Apple Account is used and that person leaves the organization, you will need to create a new certificate and re-enroll every managed device in Jamf Pro. If you need to create a new Apple Account, click the "Create yours now" link to do so.

    3. Click Create a Certificate.
    4. Read through the terms of use, select the checkbox to certify you have done so, and then click Accept.
    5. Click Choose File, select the JamfSignedCSR.plist file that you downloaded from Jamf Pro earlier, and click Upload.
      Best Practice:

      Jamf recommends that you add information in the Notes box to specify what service is using the push certificate along with any other information that might be needed by the individual renewing the certificate in a year. For example, you can enter the Jamf Pro instance name this certificate will be used on, as well as the date and your name in case there are any questions in the future.

    6. Click Upload to generate the push certificate.
    7. On the following screen, click Download to download the push certificate.

      The certificate will have a filename specific to your organization but will always end in .pem. If a .cer file downloads, use Safari for your browser and reattempt the download.

  8. Return to Jamf Pro, and click Next.
  9. Click Upload.
  10. Click Choose File and navigate to the .pem file you downloaded from Apple, and click Upload.
  11. Return to the Push Certificates settings page, and click the newly created push certificate.
  12. Click Edit .
  13. In the Apple Account field, enter the Apple Account you used to create the push certificate.

    This will ensure that in a year when the push certificate needs to be renewed, there will be no confusion about what Apple Account was used in the Apple Push Certificates Portal to generate the push certificate.

  14. Click Save .
  15. Take note of the date displayed in the Expiration Date field. On that date, in a year, the trust established today between APNs and Jamf Pro will break and all device communication will immediately cease.
    Best Practice:

    Jamf recommends setting a calendar reminder for yourself to renew the push certificate before the expiration date. It takes just a moment and can possibly save extra work in the future if the push certificate were to expire.

Devices should now successfully enroll with Jamf Pro. However, if the push certificate is invalid, devices will not be able to completely enroll with Jamf Pro, and APNs communication errors will be displayed in the JAMFSoftwareServer.log file.