Intro to APNs in macOS Server
Apple devices learn of updates. When you set up Profile Manager and use the Apple Push Notification service (APNs), it maintains a simple connection with the device.
To make a secure connection between macOS Server and the clients, you need a transport encryption certificate installed on the server and ready for use. Apple provides a transport encryption certificate when you provide an Apple ID and password in the push notification settings window.
For your Apple devices to work with APNs, you must allow network traffic from the devices to the Apple network (17.0.0.0/8). If necessary, a network proxy can be used to access the Apple network because Apple devices must be able to connect to specific ports on specific hosts:
TCP port 443 is used during device activation, and afterward for fallback if devices can’t reach APNs on port 5223.
TCP port 5223 to communicate with APNs.
TCP port 443 or 2197 to send notifications to APNs.
You may also need to configure your web proxy or firewall ports to allow all network traffic from Apple devices to the Apple network. In iOS 13.4, iPadOS 13.4, macOS 10.15.4, and tvOS 13.4 or later, APNs can use a web proxy when it’s specified in a PAC file.
For information about other apps and services that support push notification, see Ports used by Profile Manager in macOS Server.