IOS MDM Device Polling And APNs Certificate

- 1 answer

I'm developing an iOS MDM Server as my project and I have almost completed.

I created all the necessary files manually including the mobileconfig file and installed the profile.

The device polls the URL mentioned in Server URL often with an Idle message.I read that the Idle message indicates that the device is checking the server for commands and we can send plist response as a command.

My question is, if all the devices poll the MDM Server frequently, what is need for .pem file and APNs certificate. Should we send push notification to the device like below like we send push notifications to our iOS apps.

    "aps": {
         "id": 10,
         "message": "Hello world!",
         "from": "Ram"

If this is what we should do, what should we send in the payload?


I found out the solution for sending push notifications.

com.notnoop.apns.ApnsService apnsservice = com.notnoop.apns.APNS.newService().withCert(<pushCertStream>,<pushCertPass>).withProductionDestination().build();
apnsservice.push(token, com.notnoop.apns.APNS.newPayload().mdm(pushMagic)).build());

When push notification is sent like this, the device responds with an Idle Message and we can send commands to the device.

Few more doubts :

1) When does apple check the SSL Certificate of the profile? I'm sure it checks during profile installation because my profile installation has failed many times due to wrong SSL Certificat. Does Apple also check the SSL Certificate when sending push notification as I have noticed a class com.notnoop.exceptions.InvalidSSLConfig? Does it check whether the server sending push notification has the SSL Certificate specified in the profile?


When server send push notification to the device, the device responds with an Idle Message to the URL specified in Server URL. What happens if the SSL Certificate is invalid at this point. Does it produce an error?

2) Can multiple servers have the same push notification certificate to reduce the load on a single server to send push notification and send commands to devices? Will there be any conflict?

3) Is there any limit to the no. of push notifications sent using a single push notification certificate? If not, can it handle any number of push notifications?

4) Can the Check-in URL and Server URL in the profile be different?

EDIT Can the Check-in URL and Server URL be of different servers i.e .,

CheckIN URL :

Server URL :

5) First question in this link(Least important) Though the solution talks about expiration of SSL Certificate, it does not say about changing of SSL Certificate.


When a push notification certificate is renewed, how does a device with profile already installed update the certificate details in the device's profile?



1) When MDM Server sends push notification to the device, the device responds to the Server by contacting the Server URL. The SSL Certificate of the server has to match the SSL Certificate Payload in the profile. If there are any conflicts, there will be an error. So, the SSL Certificate is checked everytime the device contacts Serverl URL. The below error will be produced if there are any conflicts.

Desc : The Server Certificate for "Server URL" is invalid.

Domain : MCHTTPTransactionErrorDomain

2) Yes, multiple servers can have the same push notification certificate. Each server just need to know the password of the certificate.

3) I don't think there is any limit to the no. of push notifications sent. Check below links.

Reference 1

Reference 2

4) Your Server URL and Check-in URL can be different but should be of same host.

5) If the SSL Certificate is changed, the profile has to be deleted and a new profile has to be installed.