Thank you Brett. I submitted a ticket and have most of my devices back online. I am unable to get the locked out iPad back online as it needs to be unlocked to connect to wifi and receive the updated certificate. So I am restoring it and will put the MDM back on afterwards.
I’ve also decided to change the amount of days for the forced passcode change so that it doesn’t happen around the same time as the certificate renewal in the future, hopefully saving me from this perfect storm.
A quick explanation of what happened:
- All devices were set up around the same time, right after I created our Itarian account.
- The passcodes expired after a year as was the default
- A user enabled TouchID
- user changed their passcode
- user forgot their passcode (because they always used TouchID)
- device was restarted which requires entering the passcode before TouchID can be re-enabled.
- because APN certificate was expired we are unable to remotely wipe or reset passcode because we can’t unlock to connect to a wireless network.
Now I know better and will hopefully not make the same mistakes next year!