Plan your network infrastructure
Wi-Fi coverage and capacity
Many school Wi-Fi networks were originally deployed to provide coverage in specific classrooms, but not to support every student using their devices simultaneously throughout the school. In any deployment, assume that every student and teacher could be using their Apple device before, during, and after class—so you want to plan your infrastructure to accommodate that usage. You should build Wi-Fi networks that provide coverage in all physical spaces to accommodate for the density of devices used in those spaces.
Good Wi-Fi design begins with assessing how the network is used. Talking to teachers, administrators, and technology staff is the first step in determining user needs. An RF site survey is an important part of this process. It is recommended practice to design the network with the actual client device that will be deployed in mind. The site survey should also be validated after the final deployment to ensure adequate coverage, capacity, and bandwidth have been achieved.
The goal of designing a network based on coverage is to make sure a Wi-Fi signal reaches all areas that need it, including common spaces, the gym, and cafeterias. With full Wi-Fi coverage, collaboration is constant and the walls of the classroom are expanded.
While Wi-Fi coverage is important, it’s critical for a network to support a sufficient density of devices. Make sure you have plenty of access points (AP) to support the number of simultaneous users in your environment. A design model based on capacity may include one access point for each classroom. The power output of each access point can be reduced to prevent the Wi-Fi signal of one access point from crossing into multiple classrooms.
Adequate internet bandwidth is absolutely necessary to support access to education content and classroom workflows. Consider deploying a carefully planned and monitored test group of devices first, which can provide essential data for full deployment requirements.
Consult your internet service provider for more information about bandwidth requirements for your organization.
For more information, see Configuring networks for iPad deployments in the Deployment Reference for iPhone and iPad.
Certificates and 802.1X
Your organization may use digital certificates to secure its network and communications. With support for 802.1X, insure the RADIUS server is configured to allow at least one authentication protocol supported by Apple devices in use on the network.
For more information on Wi-Fi capacity, see Connecting iPad devices to 802.1X networks in the Deployment Reference for iPhone and iPad or Connecting Mac computers to 802.1X networks in the Deployment Reference for Mac.
Network naming should also be considered when configuring your network. Depending on your organization, you might want to create multiple service set identifiers (SSIDs) for different purposes, like a network for contract workers or a guest network. Because SSIDs add management traffic to the network, be careful not to create more than you need, so there’s enough airtime available for data. Three or fewer SSIDs is a recommended target.
How Apple devices work with Apple Push Notification service (APNs)
Apple devices learn of updates, MDM policies, and incoming messages through Apple Push Notification service (APNs). For your Apple devices to work with APNs, you must allow network traffic from the devices to the Apple network (18.104.22.168/8). Apple devices must be able to connect to specific ports on specific hosts:
TCP port 443 is used during device activation, and afterwards for fallback if devices can’t reach APNs on port 5223.
TCP port 5223 to communicate with APNs.
TCP port 443 or 2197 to send notifications to APNs.
You may also need to configure your web proxy or firewall ports to allow all network traffic from Apple devices to the Apple network. In iOS 13.4, iPadOS 13.4, macOS 10.15.4, and tvOS 13.4 or later, APNs can use a web proxy when it is specified in a PAC file.
Multiple layers of security are applied to APNs at the endpoints and the servers. Attempts to inspect the traffic or reroute it result in the client, APNs, and the push provider servers marking the network conversation as compromised and invalid. No confidential or proprietary information is transmitted through APNs.
Important: When you create APNs certificates, use and note the Managed Apple ID you use—you’ll need it when it’s time to renew the certificates, which you must do annually. Contact your certificate authority (CA) for information about renewing your certificates. Also, be prepared to update all certificates used by your MDM solution well before they expire. For more information, see the Apple Push Certificates Portal.
For more information, see the Apple Support articles Unable to use Apple Push Notification service (APNs) and Use Apple products on enterprise networks.