diff --git a/it-and-security/default.yml b/it-and-security/default.yml
index bf942122a4..f52cb1d202 100644
--- a/it-and-security/default.yml
+++ b/it-and-security/default.yml
@@ -88,6 +88,7 @@ queries:
   - path: ./lib/all/queries/collect-fleetd-information.yml
   - path: ./lib/all/queries/collect-operating-system-information.yml
   - path: ./lib/all/queries/collect-known-vulnerable-chrome-extensions.yml
+  - path: ./lib/macos/queries/detect-apns-certificate.yml
 controls: 
   enable_disk_encryption: true
   macos_migration:
diff --git a/it-and-security/lib/macos/queries/detect-apns-certificate.yml b/it-and-security/lib/macos/queries/detect-apns-certificate.yml
new file mode 100644
index 0000000000..50ad55f909
--- /dev/null
+++ b/it-and-security/lib/macos/queries/detect-apns-certificate.yml
@@ -0,0 +1,9 @@
+- name: Detect APNs certificate by topic
+  automations_enabled: true
+  description: Detects macOS devices that are enrolled using an invalid APNs certificate.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: "darwin"
+  query: SELECT topic FROM mdm WHERE topic NOT LIKE 'com.apple.mgmt.External.8a3367bf-49d7-4dc3-ae41-c9de95f7b424';