Most companies I encounter don’t have a clear understanding of apple accounts… Well an apple account is personal and it’s not of the company even if the domain in question is being used for personal apple accounts. How can you change this? Well the company domain is from the company and then you can claim it for federation authentication. See https://support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/web aftewards there will be a grace period of 30 days before a temporary apple-id account is assigned and the logon needs to be done and migrate it to a uniquely e-mail/apple-id account that is not from the company/business, it’s personal after all.
Well there are some scenario’s that might slip through the fences like the original APNS account which not got logged on and now asks for the originally recovery questions that no one knows. To resolve this little debacle let’s say a week for an expiring APNS certificate and you net a new one ;-), we need a support case with apple, a support case with omnissa and clear enough instructions to fix it.
To summarize:
* Apple account needs to be flipped to federation authentication but this in turn will give you a new apple id which does not have the APNS certificate
* Apple will request a thumbprint to find and match the current one
* Omnissa can provide this with a DB dump from SaaS end
* Apple will find an match and update it to the new federated account and we can request a new one without re-enrolling all our devices
Hope it helps