To use MAC certificates for MDM, the certificate must be signed by Broadcom in order to send to Apple

ITMS 8.x

Requires Broadcom to Sign a CSR certificate file

1. Generate a Certificate Signing Request (CSR)
   1. From within the Symantec Management Console (SMC) click Home > Apple Modern Device Management.
   2. Click Certificates > APNS Certificate Requests > Add New.
   3. Enter the required information: Country, Common Name (CN) and Email. Click OK. SMC generates a certificate signing request.
   4. Locate your new CSR in the list and click Export Request to save the CSR as a text file on your local system.
2. Ask Broadcom to Sign the CSR
   1. Contact Broadcom Technical Support to request that they sign your new CSR. The support engineer will take your CSR and sign it.
3. Request an APNS Certificate from Apple
   
   1. Browse to https://identity.apple.com and log in with your Apple ID and password and select Create a Certificate.
   2. Read and accept the Terms of Use
   3. Browse for the signed CSR file that Broadcom support provided you and click Upload.
   4. Save your new APNS Certificate to your local machine.
4. Install the APNS Certificate on SMC
   1. In MDM - macOS > Certificates, click Add New.
   2. Select APNS as the Certificate Category and when prompted, select your new Certificate file and click OK.
   3. The MDM > Certificates page displays your new APNS certificate.

Note: The APNS certificate provided by Apple has an expiration date. Retain the Broadcom-signed CSR make the process of renewing your APNS certificate easier. If you don't have it when the time comes, simply follow the steps above to create a new CSR and have it signed.

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Administration/About-Modern-Device-Management/Setting-up-MDM-for-macOS/mdm-macOS-APNS_certificate.html