Set up advanced mobile device management

Step 3: Set up an Apple Push Certificate

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

To use advanced management with Apple® iOS® devices, you need to use an Apple Push Certificate. The certificate establishes a trusted connection between iOS devices and your domain. You need to renew the certificate yearly.

Before you begin

  • You need to use an Apple ID and password to complete this procedure. If you don't already have an Apple ID, you can create one during the procedure. Use a corporate email address when you create the ID so an administrator can easily renew the certificate. 
  • Make sure to save the Apple ID you create. You’ll need it when you renew the certificate. If you don’t have your ID when you renew, you’ll have to create a new certificate. If you create a new certificate, your iOS users' service will be interrupted. And, they’ll need to enroll their devices again to synchronize corporate data.
  • Don’t reload your browser window or navigate away from any displayed page while you’re creating the certificate. This process helps ensure that the certificate-signing request you submit matches the signed certificate you receive.

Create an Apple Push Certificate

If you don’t already have an Apple Push Certificate, you can create one by submitting a certificate-signing request to the Apple Push Certificates portal.

Step 1: Download a certificate signing request

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devices.

    If you don't see Devices on the Home page, at the bottom, click More controls.

  3. On the left, click Setup.
  4. Click Apple Push Certificate and then Set up Apple Push Certificate.
  5. Click Download and save the certificate signing request (.csr) file to a convenient location where you can access it later. Download this file only once.
  6. Check the I’ve downloaded the certificate signing request box. 

Step 2: Get a signed certificate from Apple

  1. (Optional) If you don’t already have an Apple ID,  click Create an Apple ID and enter your details. 
  2. From your Admin Console, click Apple Push Certificates Portal and sign in to the portal with your Apple ID and password. 
  3. Click Create a Certificate and accept the terms of use.
  4. Click Choose File and select the certificate signing request (.csr) file you saved earlier.
  5. To submit the request file, click Upload.
    Apple accepts the request and displays a confirmation page with your service type, vendor domain, and the expiration date for this certificate.
  6. Click Download and save the signed certificate (.pem) file. Download this file only once.
  7. Go back to your Admin console tab or window. 
  8. Check the I’ve got a signed Apple Push Certificate box. 

Step 3: Upload your signed certificate 

  1. Click Select certificate file and open the certificate (.pem) file you saved from the Apple Confirmation page. 
  2. Check the I’ve selected the certificate file box. 
  3. Click Verify.
    The system verifies and uploads the signed certificate. If you have problems, check to make sure the signed certificate you submitted is the one you saved in step 1. If you find multiple signing requests on your system, delete them all and start again.
  4. Click Continue Setup.  
  5. Click Device Management and then Setup and then Apple Push Certificate.
  6. Next to Apple account ID, enter the Apple ID you used to create the certificate. Your ID is automatically saved to remind you when you renew the certificate.

What's next?

iOS devices that are already synchronizing corporate data get a notification to install the Google Device Policy profile. The profile checks if the device is compliant with the policies you set. Compliant devices can continue to sync corporate data. Users of noncompliant devices get a notification and need to fix the problem before they can sync corporate data. New devices that enroll for management need to install the Device Policy profile before they can sync corporate data.

Related topics

Was this helpful?
How can we improve it?