How Apple devices work with APNs
Many Apple devices learn of updates, MDM policies and incoming messages via Apple Push Notification service (APNs). For your Apple devices to work with APNs, you must allow network traffic from the devices to Apple’s network (184.108.40.206/8) on port 5223, with a fallback option of port 443. You may also need to configure your web proxy or firewall ports to allow all network traffic from Apple devices to Apple’s network.
No confidential or proprietary information is transmitted via APNs. The traffic is a secured, binary protocol specific to APNs, and it can’t go through a proxy. Attempts to inspect the traffic or reroute it result in the client, APNs and the push provider servers marking the network conversation as compromised and invalid. Multiple layers of security are applied to APNs at the endpoints and the servers.
In iOS 13.4, iPadOS 13.4, macOS 10.15.4, and tvOS 13.4, APNs can use a web proxy when it is specified in a PAC file.