Use of APNs Certificate in MDM (Intune)

Hello, everyone, in this blog I will be explaining why we need APNs Certificate for MDM solution (I am using Intune as my MDM tool) and how it communicates when a device enrolled to Intune

First, APNs are not limited to MDM solutions, mobile applications also use APNS to send notifications to iOS devices, but here I will be explaining APNs certificate use case with MDM (Intune) solution. To use Apple Push Notification Service (APNs), your macOS and iOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.

The below diagram illustrates how Intune use APNs for device enrollment.

For Apple devices to work with APNs, some of the network traffic from the devices to the Apple network (17.0.0.0/8) should be allowed directly or by using a network proxy. Apple devices must be able to connect to specific ports on specific hosts

Why do we use the MDM solution to manage devices? (For example, Intune)

Mobile device management solution helps an organization to configure devices securely and wirelessly by sending profiles and commands to the device whether it is a user device (BYOD), or an Organization owned device (company-owned device), some of the MDM capabilities include

Users can enroll their device in MDM and organization-owned devices can be automatically enrolled in MDM using Apple School Manager or Apple Business Manager. iOS, iPad, macOS, and tvOS have built-in frameworks that work with MDM and MDMs solutions require multiple certificates to talk to devices APNs – to talk to devices, SSL Certificate – to communicate securely, and Certificate to sign the configuration profiles

Let's see how an iOS device gets enrolled to Intune and APNs Services are used

1. Enrolling the Device

Every Device needs an enrollment profile that links the device with an MDM (Intune), this involves installing an enrollment profile that links the device with an MDM, personal devices or BYOD devices can be enrolled with user enrollment or device enrollment and Organization owned devices can be enrolled using Apple Business Manager which will use Automatic Device Enrollment or ADE which will enroll the device automatically to Intune, other devices must be enrolled manually.

2. Installing an Enrollment Profile

During the enrollment process, the device downloads the enrollment profile automatically, alternatively the user downloads the profile during over-the-air distribution.

3. Notifying the Device

Now the server queues up a command for the device and sends a notification to the device through Apple Push Notification Service (APNs). this is why we need to add an APNs certificate to Intune, with the help of APNs Intune maintains a persistent communication with devices across both public and private networks. I had written a blog on how to install APNs or Apple MDM push Certificate in Intune Please refer to the Link

4. Contacting the Server

The device receives the notification using APNs Service and contacts Intune

5. Delivering Content

Once the device is connected to Intune, the device will download and acts on the queued command, this can be deploying the device restriction, iOS updates, compliance policy, and when Intune wants to install an app it sends a push notification to the device, the device checks in and process an Install Application command and then fetches the actual app file from the App Store or a local network caching server.

Below are some of the Host, Ports, and protocols used while a device is setting setup for iOS

Network access to the following hosts might be required for devices enrolled in Mobile Device Management (Intune)

Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.

References