Creating a Push Certificate

A push certificate is an encrypted file generated by Apple that establishes trust between Jamf Pro and the Apple Push Notification service (APNs) to allow secure communication to devices enrolled in Jamf Pro.

An assistant in Jamf Pro guides you through the following steps to create a new push certificate (.pem) and upload it to Jamf Pro.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click Push Certificates .
  3. Click New .
  4. Select Download signed CSR from Jamf Nation. A CSR, or certificate signing request, is a file that Jamf Pro generates to identify itself to APNs, which will use that request to generate the push certificate.
  5. Click Next.
  6. Enter your Jamf ID credentials. If you don't have a Jamf ID, go to and click Create one now to get started.
  7. Click Next. The CSR file JamfSignedCSR.plist will automatically be downloaded.
  8. Complete the following steps in the Apple Push Certificates Portal to create the push certificate:
    1. Either click the link provided in Jamf Pro, or open a new tab and navigate to
    2. Sign in using your Apple ID. The Apple ID used to create the push certificate will need to be reused every year to renew the certificate.
      Best Practice:

      Jamf recommends that you use a generic, institutionally-owned Apple ID rather than a personal Apple ID. If a personal Apple ID is used and that person leaves the organization, you will need to create a new certificate and re-enroll every managed device in Jamf Pro. If you need to create a new Apple ID, click the "Create yours now" link to do so.

    3. Click Create a Certificate.
    4. Read through the terms of use, select the checkbox to certify you have done so, and then click Accept.
    5. Click Choose File, select the JamfSignedCSR.plist file that you downloaded from Jamf Pro earlier, and click Upload.
      Best Practice:

      Jamf recommends that you add information in the Notes box to specify what service is using the push certificate along with any other information that might be needed by the individual renewing the certificate in a year. For example, you can enter the Jamf Pro instance name this certificate will be used on, as well as the date and your name in case there are any questions in the future.

    6. Click Upload to generate the push certificate.
    7. On the following screen, click Download to download the push certificate.

      The certificate will have a filename specific to your organization but will always end in .pem.

  9. Return to Jamf Pro, and click Next.
  10. Click Upload .
  11. Click Choose File and navigate to the .pem file you downloaded from Apple, and click Upload.
  12. Return to the Push Certificates settings page, and click the newly created push certificate.
  13. Click Edit .
  14. In the Apple ID field, enter the Apple ID you used to create the push certificate.

    This will ensure that in a year when the push certificate needs to be renewed, there will be no confusion about what Apple ID was used in the Apple Push Certificates Portal to generate the push certificate.

  15. Click Save .
  16. Take note of the date displayed in the Expiration Date field. On that date, in a year, the trust established today between APNs and Jamf Pro will break and all device communication will immediately cease.
    Best Practice:

    Jamf recommends setting a calendar reminder for yourself to renew the push certificate before the expiration date. It takes just a moment and can possibly save extra work in the future if the push certificate were to expire.