Set up an Apple push certificate

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

To use advanced management with Apple® iOS® devices, you need an Apple push certificate. The certificate establishes a trusted connection between iOS devices and your organization's domain.

Note: You must renew the certificate yearly. If your certificate expires before you renew it, you must set up a new certificate. When you set up a new certificate, your iOS users must enroll their devices again to synchronize G Suite data.

Before you begin

  • You need an Apple ID and password to complete this procedure. If you don't have an Apple ID, you can create one during the procedure. Use a work email address when you create the ID so an administrator can easily renew the certificate. 
  • Don’t reload your browser window or navigate away from any displayed page while you create the certificate. This process helps ensure that the certificate-signing request you submit matches the signed certificate you receive.

Create an Apple push certificate

Step 1: Download a certificate signing request

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Settingsand theniOS settings.
  4. Click Apple certificatesand then Set Up New Certificate.
  5. Under Certification Request, click Get CSR.
  6. Save the certificate signing request (.csr) file to a convenient location where you can access it later. Download this file only once. 

Step 2: Get a signed certificate from Apple

  1. (Optional) If you don’t have an Apple ID,  click Create an Apple ID and enter your details. 
  2. From your Admin console, click Apple Push Certificates Portal and sign in to the portal with your Apple ID and password. 
  3. Click Create a Certificate and accept the terms of use.
  4. Click Choose File and select the certificate signing request (.csr) file you saved earlier.
  5. To submit the request file, click Upload.
    Apple accepts the request and displays a confirmation page with your service type, vendor domain, and the expiration date for this certificate.
  6. Click Download and save the signed certificate (.pem) file. Download this file only once.
  7. Go back to your Admin console tab or window. 

Step 3: Upload your signed certificate 

  1. Under Enter Business Apple ID, enter the Apple ID you used to create the certificate. Your ID is automatically saved to remind you when you renew the certificate.
  2. Click Upload Certificate and select the certificate (.pem) file you saved from the Apple Confirmation page. 
  3. Click Save & Continue.
    The system verifies and uploads the signed certificate. If you have problems, make sure the signed certificate you submitted is the one you saved in step 1. If you find multiple signing requests on your system, delete them all and start again.

What's next?

iOS devices that already synchronize work data get a notification to install the Google Device Policy profile. The profile checks if the device is compliant with the policies you set. Compliant devices can continue to sync work data. Users of noncompliant devices get a notification and need to fix the problem before they can sync work data. New devices that enroll for management must install the Device Policy profile before they can sync work data.

Related topics

Was this helpful?
How can we improve it?