Migrating OS X Macs from one Apple push notification certificate to another using Casper
As mentioned previously, I needed to migrate my Casper server from using the Apple Push Notification Service (APNS) certificate generated by one Apple ID to now using another APNS certificate generated by another Apple ID.
This project is fairly straightforward, thanks to a couple of factors:
- The Casper server in question is managing only OS X devices.
- I have a way to identify via a Casper Extension Attribute which Macs have MDM profiles associated with the APNS certificate which is no longer active.
I was able to set up a Casper smart group to look for machines that fit the following criteria:
- Criteria: Extension Attribute name (In this case, the EA is named Apple Push Notification Service certificate identifier.)
- Operator: Like
- Value: com.apple.mgmt.External.uuid_of_former_apns_certificate_goes_here
From there, I set up a policy that is scoped to run on the members of that smart group. For more details, see below the jump.
The policy I set up runs the script shown below to perform the following tasks:
- Remove the existing MDM profiles
- Download and install a fresh set of MDM profiles (this new set of profiles will use the new APNS certificate.)
- Run a recon to update inventory.
The inventory update should then take the machine out of the smart group.
Here’s how the policy I set up looks in Casper 9.x:
- Frequency: Ongoing
- Trigger: Check-In
- Run script
- Update Inventory
The script looks like this in Casper: