Configure devices to work with APNs
Mobile device management (MDM) solutions use the Apple Push Notification service (APNs) to maintain persistent communication with Apple devices across both public and private networks. Using APNs, Apple devices learn about updates, MDM policies, and incoming messages. MDM solutions require multiple certificates, including an APNs certificate to talk to devices, an SSL certificate to communicate securely, and a certificate to sign configuration profiles.
For your Apple devices to work with APNs, allow network traffic from the devices to the Apple network (17.0.0.0/8) directly or by using a network proxy. Apple devices must be able to connect to specific ports on specific hosts:
TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on port 5223
TCP port 5223 to communicate with APNs
TCP port 443 or 2197 to send notifications from MDM to APNs
You may also need to configure your web proxy or firewall ports to allow all network traffic from Apple devices to the Apple network. For devices with iOS 13.4, iPadOS 13.4, macOS 10.15.4, tvOS 13.4, or later, APNs can use a web proxy when it’s specified in a proxy auto-config (PAC) file.
Note: Apple Vision Pro can receive push notifications only when the device is being worn and unlocked.
Multiple layers of security are applied to APNs at the endpoints and the servers. Attempts to inspect the traffic or reroute it result in the client, APNs, and the push provider servers marking the network conversation as compromised and invalid. No confidential or proprietary information is transmitted through APNs.
Tip: When you create APNs certificates for use with MDM, note the Managed Apple Account (recommended) or Apple Account you use—you’ll need it when it’s time to renew the certificates, which you must do annually. Also, be prepared to update all certificates used by your MDM solution well before they expire. For more information, see the Apple Push Certificates Portal.
Security improvements for setting up push notifications for MDM customers
MDM developers can currently use the Apple Push Notification service (APNs) to create a streamlined push-certificate-creation process for their customers. This involves creating and signing a Certificate Signing Request (CSR) for each customer. Then, each customer can use the provided CSR to obtain a certificate from the Apple Push Certificates portal.
Later this year, the Apple Push Certificates portal will require CSRs to be signed with the SHA2 algorithm for better security. Certificates won’t be issued for CSRs signed with SHA1. For more information on best practices, see Setting Up Push Notifications on the Apple developer website.