Questions about renewing Apple certs and tokens for MDM

JimK
Comes here often

Questions about renewing Apple certs and tokens for MDM

Hello, We have several iOS devices in the field at customer sites. We are coming up to where we need to update the Apple Push cert and the Apple DEP token soon. We are not completely sure of what can and cannot be changed without messing this up as far as already installed devices are concerned. I am wanting to have this go as smoothly as possible as we have 80+ device at spread out over 30-40 customers many with several separate sites.

 

1) Does the DEP token need to be created by the same person who created it originally or can it be done by anyone who has the access/authority on business.apple.com without needing to reinstall the profiles?

 

The Push cert says you need the same person or else you would need to reinstall the the Meraki Management profile each device. While we remember the account the Push cert was made under we don't remember the one the DEP token was made with.

 

I am assuming that it can be done by anyone who has the access/authority on business.apple.com since the config page and the documents "Renewing a DEP Token" don't say otherwise but I am hoping someone can tell me for sure that is the case.

 

2) I am assuming that when we update either of those that the devices just figure it out the next time they connect to the network. What happens if a device is offline at the time the cert or token is changed? Will it Just see everything as ok next time it connects or does it know on the device that the old one expired even if it isn't connected to a network? Our customers sometimes turn off or keep the devices in areas with no WiFi/cell access for periods while employees go on vacation or other absences.

 

3) Not directly related to the above two but it is in the token part of the config screen: Are we able to change the default network (Organization > MDM > Apple DEP Servers > Server > Edit > Default Network) at anytime or would we need to reinstall all the profiles? When we originally set up we use the customer we were installing to first as the default network, now that we have one for the company I work for we would like to change it to that one so newly purchased devices go right into that network to make it easer to set up.


I didn't see any of the things I asked about in the online documentation but there is a chance I missed it. Any help or guidance is appreciated. Thanks!

2 REPLIES 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.  I did find this walk through.

https://documentation.meraki.com/SM/Device_Enrollment/Apple_Device_Enrollment_Program_(DEP)#Renewing... 

 

These are just plain ordinary certificates.  As long as the user has access to sign the certificate I doubt it matters who actually signs the certificate.

 

As far as devices are concerned - these are just certificates.  For example, if you access an https web site you don't have to be concerned about when they replace their TLS certificate.  You just require it to be signed by someone you already trust and for it to be within a valid timeframe.

 

@JimK  I am not sure as we setup generic accoutns for ours. It might pay to give Apple a call and get them to confirm. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels