top of page
Writer's pictureAnand P

Use of APNs Certificate in MDM (Intune)

Updated: Oct 15

Hello, everyone, in this blog I will be explaining why we need APNs Certificate for MDM solutions (I am using Intune as my MDM tool) and how it communicates when a device enrolled to Intune

First, APNs are not limited to MDM solutions, mobile applications also use APNS to send notifications to iOS devices, but here I will be explaining the APNs certificate use case with MDM (Intune) solution. To use Apple Push Notification Service (APNs), your macOS and iOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.


Mobile device management (MDM) solutions utilize the Apple Push Notification service (APNs) to establish continuous communication with Apple devices over public and private networks. Through APNs, Apple devices receive notifications about updates, MDM policies, and incoming messages. MDM solutions necessitate various certificates, such as an APNs certificate for device communication, an SSL certificate for secure communication, and a certificate for signing configuration profiles.


The below diagram illustrates how Intune uses APNs for device enrollment.

For Apple devices to work with APNs, some of the network traffic from the devices to the Apple network (17.0.0.0/8) should be allowed directly or by using a network proxy. Apple devices must be able to connect to specific ports on specific hosts

  1. TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on port 5223

  2. TCP port 5223 to communicate with APNs

  3. TCP port 443 or 2197 to send notifications from MDM to APNs

How Apple devices enrolled to Intune using APNs


Why do we use the MDM solution to manage devices? (For example, Intune)


Mobile device management solution helps an organization to configure devices securely and wirelessly by sending profiles and commands to the device whether it is a user device (BYOD), or an Organization owned device (company-owned device), some of the MDM capabilities include

  1. Manage Software update

  2. Manage Device Settings

  3. Managing and monitoring compliance policies

  4. Remote Management ex: Remote wipe, Remote lock

Users can enroll their device in MDM and organization-owned devices can be automatically enrolled in MDM using Apple School Manager or Apple Business Manager. iOS, iPad, macOS, and tvOS have built-in frameworks that work with MDM, and MDM solutions require multiple certificates to talk to devices APNs – to talk to devices, SSL Certificate – to communicate securely, and a Certificate to sign the configuration profiles


Let's see how an iOS device gets enrolled in Intune and APNs services are used


1. Enrolling the Device


Every Device needs an enrollment profile that links the device with an MDM (Intune), this involves installing an enrollment profile that links the device with an MDM, personal devices or BYOD devices can be enrolled with user enrollment or device enrollment and Organization devices can be enrolled using Apple Business Manager which will use Automatic Device Enrollment or ADE which will enroll the device automatically to Intune, other devices must be enrolled manually.

2. Installing an Enrollment Profile


During the enrollment process, the device downloads the enrollment profile automatically, alternatively, the user downloads the profile during over-the-air distribution.

3. Notifying the Device


Now the server queues up a command for the device and sends a notification to the device through Apple Push Notification Service (APNs). This is why we need to add an APNs certificate to Intune, with the help of APNs Intune maintains persistent communication with devices across both public and private networks. I have written a blog on how to install APNs or Apple MDM push Certificate in Intune Please refer to the Link

4. Contacting the Server


The device receives the notification using APNs Service and contacts Intune

5. Delivering Content


Once the device is connected to Intune, the device will download and act on the queued command, this can be deploying the device restriction, iOS updates, or compliance policy, and when Intune wants to install an app it sends a push notification to the device, the device checks in and process an Install Application command and then fetches the actual app file from the App Store or a local network caching server.

Below are some of the Host, Ports, and protocols used while a device is setting setup for iOS

Host

Ports

Protocol

OS

Description

Supports Proxies

albert.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

​Device Activation

Yes

captive.apple.com

443,80

TCP

iOS, iPadOS, tvOS, and macOS

Internet connectivity validation for networks that use captive portals

Yes

gs.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

Yes

humb.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

Yes

static.ips.apple.com

443,80

TCP

iOS, iPadOS, tvOS, and macOS

Yes

sq-device.apple.com

443

TCP

iOS and iPadOS

eSIM activation

-

tbsc.apple.com

443

TCP

iOS, iPadOS, tvOS and macOS

Yes

time-ios.apple.com

123

UDP

iOS, iPadOS and tvOS

Used by the device to set their date and time

-

time.apple.com

123

UDP

iOS, iPadOS, tvOS and macOS

Used by the device to set their date and time

-

time-macos.apple.com

123

UDP

macOS only

Used by the device to set their date and time

-

Network access to the following hosts might be required for devices enrolled in Mobile Device Management (Intune)

Host

Ports

Protocol

OS

Description

Supports Proxies

*.push.apple.com

443,80,5223,2197

TCP

iOS, iPadOS,tvOS, and macOS

Push notifications

-

deviceenrollment.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

DEP provisional enrollment

-

deviceservices-external.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

-

gdmf.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

Used by an MDM server to identify which software updates are available to devices that use managed software updates

Yes

identity.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

APNs certificate request portal

Yes

iprofiles.apple.com

443

TCP

​iOS, iPadOS, tvOS, and macOS

Hosts enrollment profiles are used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment

Yes

mdmenrollment.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

MDM servers to upload enrollment profiles are used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts

Yes

setup.icloud.com

443

TCP

iOS and iPadOS

Required to log in with a Managed Apple ID on Shared iPad

-

vpp.itunes.apple.com

443

TCP

iOS, iPadOS, tvOS, and macOS

MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device

Yes

Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.

Host

Ports

Protocol

OS

Description

Support Proxies

*.business.apple.com

443,80

TCP

-

Apple Business manager

-

*.school.apple.com

443,80

TCP

-

Schoolwork Roster service

-

upload.appleschoolcontent.com

22

SSH

-

SFTP uploads

Yes

ws-ee-maidsvc.icloud.com

443,80

TCP

-

Schoolwork Roster service

-

Conclusion


This blog provides a concise explanation of the utilization of APNs services when enrolling an Apple device in an MDM tool.


791 views0 comments

Recent Posts

See All

Comments


bottom of page