iOS devices not enrolling or installing apps after APNs certificate expiredSolved

Hello @ace_98 ,

An expired APNs certificate can prevent Hexnode UEM from sending MDM commands, app installation commands, and configuration updates to iOS, iPadOS, and macOS devices.

To restore communication, renew the existing APNs certificate instead of creating a new one:

1. In Hexnode UEM, go to Admin > APNs > Renew Certificate and download a new CSR.
2. Sign in to the Apple Push Certificates Portal using the same Apple Account that was originally used to create the APNs certificate.
3. Locate the correct certificate by matching the Serial Number and Unique ID shown in Hexnode UEM under Admin > APNs with the details in the Apple Push Certificates Portal.
4. Click the Info icon next to the certificate if you need to verify these details.
5. Click Renew for the matching certificate and upload the CSR downloaded from Hexnode UEM.
6. Download the renewed APNs certificate from Apple.
7. Upload the renewed certificate back to Hexnode UEM under Admin > APNs.

The renewed APNs certificate takes effect immediately after it is uploaded successfully to Hexnode UEM.

For the “new MDM payload does not match the old payload” error on supervised devices, confirm that the device is assigned to the correct MDM server in Apple Business and that its Automated Device Enrollment profile shows as assigned in Hexnode UEM. Then erase the device completely and allow it to go through Automated Device Enrollment again.

Regards,
Simon Scott
Hexnode UEM

Thats okay, in my case these are supervised iPads. Normally I send a wipe command from the portal and the device comes back through setup and re-enrolls automatically.

After the APNs renewal, I tried using the Hexnode app and entering the organization domain manually, but that is when I saw the MDM payload mismatch error.

For supervised devices that are expected to come back through Apple Manager/Automated Device Enrollment, avoid switching to manual app-based enrollment during setup. The device should receive the MDM profile through ADE after the erase.

Check the device under Admin > Apple Business/School Manager > Automated Device Enrollment and make sure the profile status is Assigned. Once confirmed, erase the device fully from the device side:

1. Open Settings.
2. Go to General.
3. Select Transfer or Reset iPhone/iPad.
4. Choose Erase All Content and Settings.
5. Complete the erase and proceed through Setup Assistant.

During setup, the device should pick up the assigned ADE profile and enroll back into Hexnode.

I had a similar issue once after renewing APNs. The certificate renewal itself was instant, but the device still had remnants of the previous enrollment state. A full erase and letting ADE take over fixed it for us too. The key was making sure the device was assigned to the right MDM server in Apple Business before resetting.