Introduction to APNs
Apple Push Notification service (APNs) is the MDM protocol created by Apple to manage mobile devices. It requires that the MDM provider has a valid APNs certificate configured, and routes all commands through Apple's central cloud messaging servers. Initiating an APNs command to devices behaves as such:
- When an iOS device is enrolled, an APNs token is generated that is tied to this specific device. This token is known to both AirWatch and the APNs servers.
- Once enrolled, a device will always (connectivity permitting) exhibit an active connection to Apple's APNs servers. The network specifics are given in the diagram below.
- When a command is initiated in AirWatch (such as a profile push or a device lock command), AirWatch will reach out to the APNs servers with the specific device's token, indicating that a command is ready. This request can initiate from either the AirWatch Console or AirWatch Device Services server, depending on if it originated from a manual request or an automated action.
- The APNs server will validate the token and inform the device to connect to the MDM server to receive a command.
- The device will connect to the AirWatch Device Services server. Upon establishing this connection, the device will receive all pending commands from AirWatch.
If there is a network-based proxy server between AirWatch and the Internet connection to Apple Push Notification Service (APNS), a path must be enabled through network obstacles to the APNS servers by using either a SOCKS proxy in the network proxy server, or a hardware load balancer in the DMZ.
APNs in the AirWatch Console
APNs certificate are uploaded in the AirWatch console, which allows AirWatch to manage all iOS devices enrolled into Organization Groups that inherit these settings. In particular, APNs is configured under Settings -> Devices & Users -> Apple -> APNs For MDM. This page will show basic information about the certificate, include validity dates and thumbprint. Of particular note is the topic of the certificate. This can be found at the end of the Issued to field, and will take the form of com.apple.mgmt.*, where * can be anything from a company name to a string of characters. When an APNs certificate is properly renewed each year, the topic of that certificate will be identical. This ensures that devices that have enrolled under a previous certificate will stay managed and can continue to receive commands from AirWatch.
Network requirements for APNs
APNs traffic has the following requirements in order to function properly. Devices must be able to communicate to the appropriate APNs servers on outbound port 5223. AirWatch servers use outbound ports 2195 and 2196 to communicate to the APNs servers.
|TCP Port||Server Address||Description|
|5223||#-courier.push.apple.com (where # can be any number)||Used by devices to communicate to the APNs servers. It is the centralized communication channel for all push notifications to iOS devices.|
|2195||gateway.push.apple.com||Used to send notifications to the APNs|
|2196||feedback.push.apple.com||Used by the APNs feedback service|
Note: TCP Port 443 is used as a fallback on WiFi, when devices are unable to communicate to APNs on TCP Port 5223.