Expired APNs certificate with lost Apple ID: re-enrollment, ADE supervision, and kiosk mode impactSolved

If the original Apple Account used to create the APNs certificate is no longer accessible, there are two possible paths:

1. Contact Apple Support and request that the APNs certificate be transferred to a different Apple Account. This is the recommended option if you want to avoid re-enrolling devices. Once Apple updates the Apple Account association, the same APNs certificate can be renewed and device management can continue without starting over.
2. Create a new APNs certificate and re-enroll devices. This effectively starts APNS communication from scratch. Devices enrolled under the old APNs certificate will not automatically move to the new certificate.

Regarding the stuck disenrollment commands: yes, that is expected if the APNS certificate has expired. Hexnode relies on APNS to deliver management commands to iOS devices. Once APNS communication is broken, remote actions such as Disenroll Device may remain pending because the device can no longer receive the command.

That makes sense. If we choose the second option and create a brand-new APNs certificate, how do we remove the old devices from the portal if the remote disenroll command can’t reach them anymore? We also need to free up the licenses before enrolling them again.

When the APNs certificate has expired and the devices cannot receive the disenrollment command, you can mark the devices as disenrolled from the Hexnode portal to release the licenses. Use the following path: Reports > Disenrollment Pending Device > select the devices > Actions > Mark as Disenrolled.

This removes the pending devices from the management side and frees the associated licenses. However, this does not perform an actual unenrollment on the physical devices because the command cannot be delivered without a valid APNS connection. After uploading the new APNS certificate, the devices must be enrolled again to be managed under the new certificate.

One more concern: these are ADE-enrolled supervised iOS devices, and some are in kiosk mode. Can we manually re-enroll them through Safari without factory resetting, or is a reset required?

For Automated Device Enrollment, a factory reset is required to re-enroll the devices as supervised through ADE. The ADE management profile is applied during the iOS Setup Assistant stage, so it cannot be reapplied to an already-set-up device without resetting it.

Manual enrollment through Safari may be possible without a factory reset, but those devices will not be enrolled through ADE and will lose supervision-based management capabilities.

For devices currently locked in kiosk mode, the impact is more restrictive. Since the expired APNs certificate prevents Hexnode from sending the remote command to exit kiosk mode, marking the device as disenrolled in the portal only frees the license. It does not unlock the device locally. In that situation, a factory reset is required to break out of kiosk mode and enroll the device again with the new APNs certificate.

In short:

• Best option: ask Apple Support to transfer the existing APNs certificate to a new Apple ID, then renew it.
• If using a new APNs certificate: devices must be re-enrolled.
• ADE/supervised re-enrollment requires a factory reset.
• Manual re-enrollment without reset will not preserve ADE supervision.
• Devices stuck in kiosk mode cannot be remotely unlocked after APNs expiry and will need a factory reset.