The following is a small excerpt from a KB published at https://kb.vmware.com/s/article/78976?lang=en_US&queryTerm=78976
Upgrade Workspace ONE UEM before March 29, 2021 to support Apple Push Notifications over HTTP/2 (78976)
In December 2015, Apple made available its Apple Push Notifications Service (APNs) API using HTTP/2 requests instead of the legacy binary protocol interface for APNs. Since that time, Workspace ONE has been working on migrating our APNs messaging integration responsible for all Apple MDM commands and app notifications to the new API. This has been a multi-year effort to ensure the success of our customers.
In the 2003 release, Workspace ONE UEM enabled the new HTTP/2 API for all MDM and app-related APNs messages by default for all upgraded environments. This means that all MDM and app commands for enrollment, profiles, apps, samples, push notifications, etc., will communicate using this new API.
Starting in April 2021, Apple will stop supporting the legacy APNs communication interface. Due to this, we encourage all Workspace ONE customers to upgrade their environments to an HTTP/2 supported version as soon as possible.
Review Apple's support article for more information: Updated APNs provider API deadline .
Per these changes, Apple has also announced HTTP/2 connections to the Apple Push Notification service must incorporate a new root certificate. This change goes into effect on March 29th, 2021. As such, Workspace ONE application Console and Device Services servers must include the new root certificate (AAACertificateServices 5/12/2020 ) in the Trust Store of each of your notification servers before March 29. An example script to accomplish this has been added to the "On-Premise" section of this article.
Review Apple’s support article for more information: Apple Push Notification service server certificate update
Note: For SaaS-hosted environments, this change will be handled by VMware internally, and no further action is required.
By upgrading to 2011 the certificate was already updated in our on-premise installation so no action was required. That was not clear from this documentation.