Apple Push Notification system (APNs) is the MDM protocol created by Apple to manage their devices. It requires the MDM provider to have a valid APNs certificate configured and routes all commands through Apple's central cloud messaging servers. Initiating an APNs command leads to the following:
- When an iOS device is enrolled, an APNs token is generated that is connected to a specific device. This token is known to both AirWatch and the APNs servers.
- Once enrolled, a device always (connectivity permitting) exhibits an active connection to Apple's APNs servers. The network specifics are given in the diagram below.
- When a command is initiated in AirWatch (such as a profile push or a device lock command), the following happens:
- An entry is stored in the Device Command Queue in the AirWatch database. This entry contains a specific ID attached to the type of command initiated.
- The AirWatch server (either Console or Device Services depending on where the command initiated), reaches out to the APNs servers with the APNs token tied to that specific device.
- The APNs server validates the token and informs the device to connect to the MDM server to receive a command.
- The device connects to the Device Services server. Upon establishing this connection, the device receives all pending commands from the Device Command Queue.
1. System Administrator remotely performs MDM Actions such as Lock Device, Clear device passcode, Device wipe and Break MDM from AirWatch Console.
1a. Notification will be queued in FastLaneAPNsOutBound Queue which is picked up by AirWatch Messaging Service and sent to APNs server.
1b. Command will be queued in AWEventLog queue and then picked up by EntityChangeQueueMonitor Service. This service queues the command in AirWatch Database server.
2.The device always has an active connection to APNs; all communication to APNs is inbound and is constantly checking with APNs. The servers let the device know when there's a command waiting for the device by MDM.
3. Once the device receives the push notification, it will check-in to AirWatch Device Services server.
4. Device Services server will check whether any command is queued for that particular device (based on DeviceID) in AirWatch Database server.
5. Device Services server pulls the command which is already queued for that device from AirWatch Database server.
6. Final step: Device Services will generate an XML and send it to the device. Native MDM Agent (MDM profile installed on device) will perform required action on a device.