Hello, everyone, in this blog I will be explaining why we need APNs Certificate for MDM solutions (I am using Intune as my MDM tool) and how it communicates when a device enrolled to Intune
First, APNs are not limited to MDM solutions, mobile applications also use APNS to send notifications to iOS devices, but here I will be explaining the APNs certificate use case with MDM (Intune) solution. To use Apple Push Notification Service (APNs), your macOS and iOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.
Mobile device management (MDM) solutions utilize the Apple Push Notification service (APNs) to establish continuous communication with Apple devices over public and private networks. Through APNs, Apple devices receive notifications about updates, MDM policies, and incoming messages. MDM solutions necessitate various certificates, such as an APNs certificate for device communication, an SSL certificate for secure communication, and a certificate for signing configuration profiles.
The below diagram illustrates how Intune uses APNs for device enrollment.
For Apple devices to work with APNs, some of the network traffic from the devices to the Apple network (17.0.0.0/8) should be allowed directly or by using a network proxy. Apple devices must be able to connect to specific ports on specific hosts
TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on port 5223
TCP port 5223 to communicate with APNs
TCP port 443 or 2197 to send notifications from MDM to APNs
How Apple devices enrolled to Intune using APNs
Why do we use the MDM solution to manage devices? (For example, Intune)
Mobile device management solution helps an organization to configure devices securely and wirelessly by sending profiles and commands to the device whether it is a user device (BYOD), or an Organization owned device (company-owned device), some of the MDM capabilities include
Manage Software update
Manage Device Settings
Managing and monitoring compliance policies
Remote Management ex: Remote wipe, Remote lock
Users can enroll their device in MDM and organization-owned devices can be automatically enrolled in MDM using Apple School Manager or Apple Business Manager. iOS, iPad, macOS, and tvOS have built-in frameworks that work with MDM, and MDM solutions require multiple certificates to talk to devices APNs – to talk to devices, SSL Certificate – to communicate securely, and a Certificate to sign the configuration profiles
Let's see how an iOS device gets enrolled in Intune and APNs services are used
1. Enrolling the Device
Every Device needs an enrollment profile that links the device with an MDM (Intune), this involves installing an enrollment profile that links the device with an MDM, personal devices or BYOD devices can be enrolled with user enrollment or device enrollment and Organization devices can be enrolled using Apple Business Manager which will use Automatic Device Enrollment or ADE which will enroll the device automatically to Intune, other devices must be enrolled manually.
2. Installing an Enrollment Profile
During the enrollment process, the device downloads the enrollment profile automatically, alternatively, the user downloads the profile during over-the-air distribution.
3. Notifying the Device
Now the server queues up a command for the device and sends a notification to the device through Apple Push Notification Service (APNs). This is why we need to add an APNs certificate to Intune, with the help of APNs Intune maintains persistent communication with devices across both public and private networks. I have written a blog on how to install APNs or Apple MDM push Certificate in Intune Please refer to the Link
4. Contacting the Server
The device receives the notification using APNs Service and contacts Intune
5. Delivering Content
Once the device is connected to Intune, the device will download and act on the queued command, this can be deploying the device restriction, iOS updates, or compliance policy, and when Intune wants to install an app it sends a push notification to the device, the device checks in and process an Install Application command and then fetches the actual app file from the App Store or a local network caching server.
Below are some of the Host, Ports, and protocols used while a device is setting setup for iOS
Host | Ports | Protocol | OS | Description | Supports Proxies |
|---|---|---|---|---|---|
albert.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Device Activation | Yes |
captive.apple.com | 443,80 | TCP | iOS, iPadOS, tvOS, and macOS | Internet connectivity validation for networks that use captive portals | Yes |
gs.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | | Yes |
humb.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | | Yes |
static.ips.apple.com | 443,80 | TCP | iOS, iPadOS, tvOS, and macOS | | Yes |
sq-device.apple.com | 443 | TCP | iOS and iPadOS | eSIM activation | - |
tbsc.apple.com | 443 | TCP | iOS, iPadOS, tvOS and macOS | | Yes |
time-ios.apple.com | 123 | UDP | iOS, iPadOS and tvOS | Used by the device to set their date and time | - |
time.apple.com | 123 | UDP | iOS, iPadOS, tvOS and macOS | Used by the device to set their date and time | - |
time-macos.apple.com | 123 | UDP | macOS only | Used by the device to set their date and time | - |
Network access to the following hosts might be required for devices enrolled in Mobile Device Management (Intune)
Host | Ports | Protocol | OS | Description | Supports Proxies |
|---|---|---|---|---|---|
*.push.apple.com | 443,80,5223,2197 | TCP | iOS, iPadOS,tvOS, and macOS | Push notifications | - |
deviceenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP provisional enrollment | - |
deviceservices-external.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | | - |
gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by an MDM server to identify which software updates are available to devices that use managed software updates | Yes |
identity.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | APNs certificate request portal | Yes |
iprofiles.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Hosts enrollment profiles are used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment | Yes |
mdmenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to upload enrollment profiles are used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts | Yes |
setup.icloud.com | 443 | TCP | iOS and iPadOS | Required to log in with a Managed Apple ID on Shared iPad | - |
vpp.itunes.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device | Yes |
Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.
Host | Ports | Protocol | OS | Description | Support Proxies |
|---|---|---|---|---|---|
*.business.apple.com | 443,80 | TCP | - | Apple Business manager | - |
*.school.apple.com | 443,80 | TCP | - | Schoolwork Roster service | - |
upload.appleschoolcontent.com | 22 | SSH | - | SFTP uploads | Yes |
ws-ee-maidsvc.icloud.com | 443,80 | TCP | - | Schoolwork Roster service | - |
Conclusion
This blog provides a concise explanation of the utilization of APNs services when enrolling an Apple device in an MDM tool.
Comments