How to renew the iOS MDM certificate used by Symantec Mobility Suite


Article ID: 178596


Updated On:


Mobility Device Management Mobility Suite




Note: The following steps illustrate how to renew an expiring or expired MDM certificate.  If this is a new installation, this part may be skipped and continue to Building the iOS Agent (HOWTO95463).

1.    From the Mobility admin console, navigate to Downloads and click Download iOS MDM CSR.  Save the certificate signing request (CSR) to the workstation. If using an on premise deployment of Mobility Suite email this CSR to [email protected]. Do not continue until the signed CSR (ending in .applecsr) is returned.

2.    Follow HOWTO109648 to match the mobile device management (MDM) certificate on with the mdm certificate in Settings > Certificates > Apple/iOS certificates.

Tip: Internet Explorer (IE) is not compatible with this Apple web portal.

3.    Using Chrome, Firefox or Safari; navigate to

4.    As stated in HOWTO109648 find the expiring MDM certificate and match its Subject DN with that of the MDM certificate Name in the Mobility Admin console.

Note: The above image is the Apple Signing portal page on the upper half and the iOS Certificates Admin Mobility page on the lower half.

5.    Click  Renew and when the Renew Push Certificate page loads click Choose File.

6.    Browse to the downloaded CSR (the certificate ending in .applecsr) from step 1 and click Open.

7.    Click upload to renew the MDM certificate.

8.    Once the confirmation page loads click Download and save the MDM_Nukona…pem certificate to the workstation. 

9.    Return to the Mobility Admin console > Certificates > Apple/iOS certificates and next to Upload new click Choose File.

10.  Browse to the MDM_Nukona…pem certificate, from step 8, and click Open.

11.  Now click Upload, in the upper-right, to save the new MDM certificate to the Mobility console.

Note: The devices will not immediately receive this new certificate.  Users will need to either wait until their current MDM certificate expires, becomes invalid or is manually removed by going to Settings > General > Device Management. When removed any applications installed via MDM may be removed as well, this should only be done if the Subject DN of the old certificate does not match that of the new / replacement certificate.  If they do match, there is no need to remove this certificate as the MDM certificate on the server will still be able to manage the device until it is gracefully replaced.  Revoking the certificate from the Apple portal does not remove it from the device, if it needs to be removed, the user will have to do this manually.  The Work Hub Agent will note that the certificate DN is not installed on the device and will prompt the user to install a new MDM certificate upon logging into the Agent.  This installation will fail if the old MDM certificate (with a different DN) is not removed from the device.