Hello Apple Developer Community,
We’re building an MDM product (SaaS, multi-tenant). I’d like clarification on the APNs MDM push certificate usage model for service providers (MSPs).
Question: Is it acceptable for an MDM vendor to use a single APNs MDM push certificate owned by the vendor to manage devices for multiple, independent customer organizations? Or is it required/recommended that each customer (company) must obtain and use its own APNs MDM push certificate (issued under the customer’s Apple ID) for their tenant?
Why we’re asking:
We understand that many guides show the process where each customer logs into the Apple Push Certificates Portal with their own Apple ID, uploads a CSR provided by the MDM, and then renews yearly.
Practically, for a small team and early-stage deployments, using one vendor-owned certificate across multiple tenants would be simpler.
We want to ensure we’re not violating any policy, terms, or technical requirements (e.g., certificate ownership, topic binding, device token isolation, audit/compliance expectations).
What we need from Apple (or authoritative sources):
An official Apple document or policy that clearly states whether per-customer certificates are mandatory vs strongly recommended for MSP/multi-tenant MDMs.
If per-customer is mandatory, please point to the relevant clause or section.
If a vendor uses a single certificate for multiple organizations, what risks or consequences should we expect (e.g., compliance issues, supportability, potential program violations, off-boarding problems, etc.)?
Context:
We’re sending only MDM wake notifications (standard MDM flow).
We understand certificates expire yearly and must be renewed with the same Apple ID to avoid device re-enrollment.
We want to follow Apple’s best practices while keeping early operations manageable.
Any guidance, links to official documentation, or clarification from Apple engineers/moderators would be greatly appreciated. Thank you!
I can't give legal advice on whether potential actions violate the terms of developer agreements.
I suggest that having your customers manage their own MDM push certificates makes sense from the point of view of segmentation of risk.
MDM is a very powerful technology, and rarely people abuse it. When Apple becomes aware of abuse of MDM it may take various actions in response. These actions may include revoking the MDM push certificate involved in the abuse, revoking the MDM vendor certificate associated with the MDM push certificate, removing the MDM CSR permission, and/or terminating any Apple Accounts, Apple Developer Program accounts, or Apple Developer Enterprise accounts associated with those certificates.
As a device management service vendor, consider if one of your customers abuses device management capabilities and Apple revokes the MDM push certificate and the associated Apple Account. If your device management service used the same MDM push certificate for all customers, MDM would stop working for all customers, not just the one abusing MDM. There's similar arguments for each step up the tree of certificates and accounts I listed above; the more you share them, the more you share risk.
If you decide to share risk broadly now and later want to segment it more, it may not be feasible to adapt because it's very difficult to change the MDM push certificates used for a customer's deployment.