Renew an Apple push certificate

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition

When you set up advanced management with Apple iOS devices, you created an Apple push certificate that you must renew yearly. The certificate establishes a trusted connection between iOS devices and your organization's domain.

Before you begin

  • If the certificate expires before you renew it, Google Workspace data will no longer sync with iOS devices, and users will see an error in the Google Device Policy app.
  • You have 30 days to renew the certificate after the expiration date. Apple offers this period now, but it may change in the future.
  • You cannot renew the certificate either 30 days after it expires or if you don't have the password for the Apple ID associated with the certificate.
  • If you cannot renew your certificate, you can create a new one. When you do, your iOS users must unregister and reregister in the Google Device Policy app to sync Google Workspace data. For details, go to Set up an Apple push certificate.
  • Do not reload your browser window or close any pages while you renew the certificate.

Renew your certificate

Step 1: Generate a renewal request

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Apple certificates.

    The current certificate details are displayed: the unique identifier (UID), the Apple ID, and expiration date.

  4. Click Renew Certificate.
  5. Click Get CSR and save the certificate signing request (.csr file). Download this file only once.

Step 2: Get a renewed certificate

  1. Click Apple Push Certificates portal.
  2. In the new tab, sign in to the Apple portal with the Apple ID and password you used when you created the certificate.
  3. Next to the certificate you want to renew, click Renew and accept the terms of use.
    Tip: If more than one certificate is listed, you need to identify the correct certificate. Locate certificates with the same expiration date as in the Google Admin console. Click the i button ("certificate info") next to each one to find the UID and make sure it matches the certificate you want to renew.
  4. Click Choose File and open the certificate signing request (.csr) file you saved in step 1.
  5. To submit the request file, click Upload.
    Apple accepts the request and displays a confirmation page with your service type, vendor domain, and the expiration date for this certificate.
  6. Click Download and save the signed certificate (.pem) file. Download this file only once.
  7. Go back to your Admin console tab or window.

Step 3: Upload your renewed certificate

  1. Click Upload Certificate and select the certificate (.pem) file you saved from the Apple Confirmation page in the previous step.
  2. Click Save & Continue.
    The system verifies and uploads the renewed certificate. If you have problems, make sure the signed certificate you submitted matches the UID of the existing certificate.

Related topic


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.


Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu