Creating and Importing MDM Push Certificates into MDS

Created OnSeptember 25, 2019

Last Updated OnMarch 7, 2023

byDave Lebbing

In order to manage Macs with MDM, MDS requires an Apple-signed Push Notification Certificate to talk with the Apple Push Notification Service (APNS). There are a number of different ways to obtain this certificate, but the easiest and fastest way is with Twocanoes Software.

Twocanoes Software does not provide the Apple-signed Push Notification Certificate since that certificate must come from Apple. Apple requires that the Apple Push Certificate request be signed by an MDM vendor (Twocanoes Software). The procedure looks like this:

Export a certificate request in MDS. This generates a request and an encrypted private key.
Buy an MDS support agreement, upload the certificate request to Twocanoes Profile and download the vendor-signed certificate request.
Upload the vendor-signed certificate request to Apple Push Certificates Portal and download the Apple-signed APNS certificate.
Import the Apple-signed APNS certificate and the private key into MDS.

The process can either be done via the MDS app or from the command line directly with MicroMDM:

Option 1: Using MDS App
Option 2: Command Line Interface (MicroMDM)

Using MDS App

To request an MDM Push Certificate from the MDS App, follow the steps below:

Save Certificate Request: Go to MicroMDM from the side navigation, then click “Configure Push Certificate.” Start with step 1: Save Request.

Provide your Country Code and Email Address, then click “Save…”.

Proceed to step 2 by clicking the link to visit Twocanoes Profile in your web browser. If you have a current MDS support contract with Twocanoes Software, you will see the Certificate Signing Request page. If you do not have a current MDS support contract, visit the MDS product page to purchase one.

Click Upload unsigned-CSR.

Click Choose File and select the file called unsignedCSR_to_upload_to_twocanoes.pem.

The request is then signed. You are now able to download a certificate request signed by Twocanoes: this file now can be uploaded to Apple.

The file to upload to Apple is called Vendor-signed CSR (Upload this to Apple).pem.

Proceed with step 3 by clicking the link to go to the Apple Push Certificates Portal. Sign in with an Apple ID.

Click “Create a Certificate.”

Select the Vendor-signed CSR (Upload this to Apple).pem file and click Upload.

Once completed, click Download to download the Apple-signed push notification certificate.

The push notification certificate will be named MDM_ Twocanoes Software, Inc_Certificate.pem. This certificate needs to be imported into MDS.

Proceed with step 4 by clicking “Import Push Certificate”. Select the Apple-signed certificate MDM_ Twocanoes Software, Inc_Certificate.pem.

If successful, a success dialog will be shown. The MDM service will be restarted and the Push Certificate indicator will turn green.

Command Line Interface (MicroMDM)

To import the push certificate into MicroMDM directly using the command line interface, follow the steps below.

1. Configure the command line tool mdmctl by using the mdmctl tool inside the MDS application. Replace “MySecretAPIKey” with the API key found in the MDS preferences under MDM. The server URL should use the hostname that matches the SSL certificate.

mdmctl config set 
  -name production 
  -api-token MySecretAPIKey 
  -server-url https://my-server-url

2. Select this new configuration

mdmctl config switch -name production

3. Generate a CSR. Replace “secret” with a password of your choosing. Then, update the country and email values to match your organization. This command creates two files: PushCertificateRequest.csr and PushCertificatePrivateKey.key.

mdmctl mdmcert push -password=secret -country=US -email=admin@acme.co

Once the certificate has been exported, visit your asset page on Twocanoes Profile. In the section for your current MDS support contract with Twocanoes Software, you will see a link to the Certificate Signing Request page. If you do not have a current support contract, visit the MDS product page to purchase one.

Click Upload unsigned-CSR.

Click Choose File and select the PushCertificateRequest.csr file.

The request is then signed and you are able to download a certificate request signed by Twocanoes. This file now can be uploaded to Apple.

The file to upload to Apple is called Vendor-signed CSR (Upload this to Apple).pem.

Go to the Apple Push Certificates Portal; sign in using an Apple ID.

Click “Create a Certificate.”

Select the Vendor-signed CSR (Upload this to Apple).pem file and click Upload.

Once completed, click Download to download the Apple-signed push notification certificate.

The push notification certificate will be named MDM_ Twocanoes Software, Inc_Certificate.pem. This certificate (and the private key created at the start of the process) needs to be imported into MicroMDM.

mdmctl mdmcert upload -cert MDM_ Twocanoes Software, Inc_Certificate.pem -private-key PushCertificatePrivateKey.key -password=secret

Tags: