Allowing Apple devices to work with APNs
Apple devices learn of updates, MDM policies, and incoming messages through Apple Push Notification service (APNs). For your Apple devices to work with APNs, or allow network traffic from the devices to the Apple network (18.104.22.168/8) using a network proxy. Apple devices must be able to connect to specific ports on specific hosts:
TCP port 443 is used during device activation, and afterward for fallback if devices can’t reach APNs on port 5223.
TCP port 5223 to communicate with APNs.
TCP port 443 or 2197 to send notifications to APNs.
You may also need to configure your web proxy or firewall ports to allow all network traffic from Apple devices to the Apple network. In iOS 13.4, iPadOS 13.4, macOS 10.15.4, and tvOS 13.4 or later, APNs can use a web proxy when it’s specified in a PAC file.
Multiple layers of security are applied to APNs at the endpoints and the servers. Attempts to inspect the traffic or reroute it result in the client, APNs, and the push provider servers marking the network conversation as compromised and invalid. No confidential or proprietary information is transmitted through APNs.
Important: When you create APNs certificates, use and note the Apple ID or Managed Apple ID you use—you’ll need it when it’s time to renew the certificates, which you must do annually. Contact your certificate authority (CA) for information about renewing your certificates. Also, be prepared to update all certificates used by your MDM solution well before they expire. For more information, see the Apple Push Certificates Portal.