question

PradeepGoonetillake-3734 avatar image
0 Votes"
PradeepGoonetillake-3734 asked PradeepGoonetillake-3734 commented

Consequneces of deleting APN certificate in intune

I have a Endpoint manager tenant which has an expired APN certificate. It has expired over 30 days ago. Now we have to delete the expired certificate and install a new MDM certificate from Apple. So we have to unenroll and reenroll all the IOS devices . However we are unable to do all of them at once.

So if we delete the expired certificate will the company portal app break and users lose access to the company apps ?

We need to be able to unenroll users gradually and re enroll them with the new certificate. Any information regarding this will be greatly appreciated.

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered PradeepGoonetillake-3734 commented

With an expired APN certificate, the APN network doesn't allow any communication with the devices so whether you unenroll them gradually or not is irrelevant as they all are effectively unenrolled now anyway.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PradeepGoonetillake-3734 avatar image PradeepGoonetillake-3734 ·

Thanks for the response Jason.

I can still see the devices on Intune as compliant. As per the link below we have to manually unenroll and re-enroll the devices

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-and-the-apns-certificate-faq-and-common-issues/ba-p/280121

We don't see any issues reported on the device side so far. But we can't enroll new devices due to the expired certificate. Maybe it will complain if we try to deploy any new apps or apply new policies. But existing apps work.

We want to maintain the same status until we reenroll all of the devices under the new certificate. Question is what will happen if we remove the existing expired certificate and install a new one.

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT PradeepGoonetillake-3734 ·

As per the link below we have to manually unenroll and re-enroll the devices

Correct. I didn't say that they were actually unenrolled, I said they were "effectively" unenrolled because they can no longer communicate with the MDM since the expired cert does not allow communication over the APN.

Clients won't be marked as not compliant because of this state.

Question is what will happen if we remove the existing expired certificate and install a new one.

Nothing because Intune can't communicate with these device now which is why they are "effectively" unenrolled. Perhaps a better way of saying this is that they are effectively unmanaged since they cannot communicate with their currently assigned management authority thus them being enrolled in Intune is completely meanginless.

0 Votes 0 ·
PradeepGoonetillake-3734 avatar image PradeepGoonetillake-3734 Jason-MSFT ·

Thank you Jason . Appreciate your help.

0 Votes 0 ·