Last Updated On September 25, 2019

In order to manage Macs with MDM, MDS requires an Apple-signed Push Notification Certificate to talk with the Apple Push Notification Service (APNS). There are a number of different ways to obtain this certificate, but the easiest and fastest way is with Twocanoes Software. 

Twocanoes Software does not provide the Apple-signed Push Notification Certificate since that certificate must come from Apple. Apple requires that the Apple Push Certificate request be signed by an MDM vendor (Twocanoes Software). The procedure looks like this:

  1. Export a certificate request in MDS. This generates a request and an encrypted private key.
  2. Buy an MDS support agreement, upload the certificate request to Twocanoes Profile and download the vendor-signed certificate request. 
  3. Upload the vendor-signed certificate request to Apple Push Certificates Portal and download the Apple-signed APNS certificate.
  4. Import the Apple-signed APNS certificate and the private key into MDS.

The process can either be done via the MDS app or from the command line directly with MicroMDM:

Using MDS App

To request an MDM Push Certificate from the MDS App, follow the steps below.

Export Certificate Request and Private key in MDS: In the MDS window, click the “Manage Push Certificates” button and select “Export Unsigned Push Notification Request”.

Provide an email address and a password to encrypt the private key. The password is used to encrypt the private key. The private key should not be uploaded to Apple or Twocanoes Software, but will be imported into MDS with the Apple-signed push notification certificate at the end of this process.

Once the certificate has been exported, click on “Upload CSR to Sign” to go to  Twocanoes Profile in your web browser. If you have a current MDS support contract with Twocanoes Software, you will see the Certificate Signing Request page. If you do not have a current MDS support contract, visit the MDS product page to purchase one.

Click Upload unsigned-CSR.

Click Choose File and select the “unsignedCSR_to_upload_to_twocanoes.pem file.

The request is then signed and you are able to download a certificate request signed by Twocanoes. This file now can be uploaded to Apple.

The file to upload to Apple is called “Vendor-signed CSR (Upload this to Apple).pem”.

Go to the Apple Push Certificates Portal and sign in with an Apple ID.

Click “Create a Certificate”.

Select the “Vendor-signed CSR (Upload this to Apple).pem” file and click Upload.

Once completed, click Download to download the Apple-signed push notification certificate.

The push notification certificate will be named “MDM_ Twocanoes Software, Inc_Certificate.pem”. This certificate (and private key created at the start of the process) needs to be imported into MDS.

To import into MDS, click “Manage Push Certificates”, select “Import MDM Push Certificate From File”.

Select the Apple-signed certificate “MDM_ Twocanoes Software, Inc_Certificate.pem”, the private key “private_key_DO_NOT_UPLOAD.key”, enter the password you used to encrypt “private_key_DO_NOT_UPLOAD.key” and click Import.

If successful, a success dialog will be shown.

The MDM service will be restarted and the Push Certificate indicator will turn green.

Command Line Interface (MicroMDM)

To import the push certificate into MicroMDM directly using the command line interface, follow the steps below.

  1. Configure the command line tool mdmctl by using the mdmctl tool inside the MDS application. Replace “MySecretAPIKey with the API key found in the MDS preferences under MDM. The server URL should use the hostname that matches the SSL certificate.
mdmctl config set \
  -name production \
  -api-token MySecretAPIKey \
  -server-url https://my-server-url \

2. Select this new configuration

mdmctl config switch -name production

3. Generate a CSR. Replace “secret” with a password of your choosing and update the country and email values to match your organization. This command creates two files: PushCertificateRequest.csr and PushCertificatePrivateKey.key.

mdmctl mdmcert push -password=secret -country=US -email=admin@acme.co

Once the certificate has been exported, visit your asset page on Twocanoes Profile. In the section for your current MDS support contract with Twocanoes Software, you will see a link to the Certificate Signing Request page. If you do not have a current support contract, visit the MDS product page to purchase one.

Click Upload unsigned-CSR.

Click Choose File and select the “PushCertificateRequest.csr” file.

The request is then signed and you are able to download a certificate request signed by Twocanoes. This file now can be uploaded to Apple.

The file to upload to Apple is called “Vendor-signed CSR (Upload this to Apple).pem”.

Go to the Apple Push Certificates Portal and sign in using an Apple ID.

Click “Create a Certificate”.

Select the “Vendor-signed CSR (Upload this to Apple).pem” file and click Upload.

Once completed, click Download to download the Apple-signed push notification certificate.

The push notification certificate will be named “MDM_ Twocanoes Software, Inc_Certificate.pem”. This certificate (and the private key created at the start of the process) needs to be imported into MicroMDM.

mdmctl mdmcert upload -cert MDM_\ Twocanoes\ Software\,\ Inc_Certificate.pem -private-key PushCertificatePrivateKey.key -password=secret