Set up an Apple push certificate

This feature is available with Cloud Identity Premium edition. Compare editions 

To use advanced management with Apple iOS devices, you need an Apple push certificate. The certificate establishes a trusted connection between iOS devices and your organization's domain.

Renew the certificate yearly

You get alerts in the alert center 30 days, 10 days, and 1 day before the certificate expires and another alert when it expires. For details, go to Renew an Apple push certificate.

Before you begin

  • You need an Apple ID and password to complete this procedure. If you don't have an Apple ID, you can create one during the procedure. Use a work email address when you create the ID so an administrator can easily renew the certificate. 
  • Don’t reload your browser window or navigate away from any displayed page while you create the certificate. This process helps ensure that the certificate-signing request you submit matches the signed certificate you receive.

Create an Apple push certificate

Step 1: Download a certificate signing request

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Apple certificatesand thenSet Up New Certificate.
  4. Under Certification Request, click Get CSR.
  5. Save the certificate signing request (.csr) file to a convenient location where you can access it later. Download this file only once. 

Step 2: Get a signed certificate from Apple

  1. (Optional) If you don’t have an Apple ID,  click Create an Apple ID and enter your details. 
  2. From your Admin console, click Apple Push Certificates Portal and sign in to the portal with your Apple ID and password. 
  3. Click Create a Certificate and accept the terms of use.
  4. Click Choose File and select the certificate signing request (.csr) file you saved earlier.
  5. To submit the request file, click Upload.
    Apple accepts the request and displays a confirmation page with your service type, vendor domain, and the expiration date for this certificate.
  6. Click Download and save the signed certificate (.pem) file. Download this file only once.
  7. Go back to your Admin console tab or window. 

Step 3: Upload your signed certificate 

  1. Under Enter Business Apple ID, enter the Apple ID you used to create the certificate. Your ID is automatically saved to remind you when you renew the certificate.
  2. Click Upload Certificate and select the certificate (.pem) file you saved from the Apple Confirmation page. 
  3. Click Save & Continue.
    The system verifies and uploads the signed certificate. If you have problems, make sure the signed certificate you submitted is the one you saved in step 1. If you find multiple signing requests on your system, delete them all and start again.

What's next?

iOS devices that already synchronize work data get a notification to install the Google Device Policy profile. The profile checks if the device is compliant with the policies you set. Compliant devices can continue to sync work data. Users of noncompliant devices get a notification and need to fix the problem before they can sync work data. New devices that enroll for management must install the Device Policy profile before they can sync work data.

Related topics

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.


Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center