Use of APNs Certificate in MDM (Intune)

Updated: Jun 29

Hello, everyone, in this blog I will be explaining why we need APNs Certificate for MDM solution (I am using Intune as my MDM tool) and how it communicates when a device enrolled to Intune

First, APNs are not limited to MDM solutions, mobile applications also use APNS to send notifications to iOS devices, but here I will be explaining APNs certificate use case with MDM (Intune) solution. To use Apple Push Notification Service (APNs), your macOS and iOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.


The below diagram illustrates how Intune use APNs for device enrollment.

For Apple devices to work with APNs, some of the network traffic from the devices to the Apple network (17.0.0.0/8) should be allowed directly or by using a network proxy. Apple devices must be able to connect to specific ports on specific hosts

  1. TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on port 5223

  2. TCP port 5223 to communicate with APNs

  3. TCP port 443 or 2197 to send notifications from MDM to APNs

How Apple devices enrolled to Intune using APNs


Why do we use the MDM solution to manage devices? (For example, Intune)


Mobile device management solution helps an organization to configure devices securely and wirelessly by sending profiles and commands to the device whether it is a user device (BYOD), or an Organization owned device (company-owned device), some of the MDM capabilities include

  1. Manage Software update

  2. Manage Device Settings

  3. Managing and monitoring compliance policies

  4. Remote Management ex: Remote wipe, Remote lock

Users can enroll their device in MDM and organization-owned devices can be automatically enrolled in MDM using Apple School Manager or Apple Business Manager. iOS, iPad, macOS, and tvOS have built-in frameworks that work with MDM and MDMs solutions require multiple certificates to talk to devices APNs – to talk to devices, SSL Certificate – to communicate securely, and Certificate to sign the configuration profiles


Let's see how an iOS device gets enrolled to Intune and APNs Services are used


1. Enrolling the Device


Every Device needs an enrollment profile that links the device with an MDM (Intune), this involves installing an enrollment profile that links the device with an MDM, personal devices or BYOD devices can be enrolled with user enrollment or device enrollment and Organization owned devices can be enrolled using Apple Business Manager which will use Automatic Device Enrollment or ADE which will enroll the device automatically to Intune, other devices must be enrolled manually.

2. Installing an Enrollment Profile


During the enrollment process, the device downloads the enrollment profile automatically, alternatively the user downloads the profile during over-the-air distribution.

3. Notifying the Device


Now the server queues up a command for the device and sends a notification to the device through Apple Push Notification Service (APNs). this is why we need to add an APNs certificate to Intune, with the help of APNs Intune maintains a persistent communication with devices across both public and private networks. I had written a blog on how to install APNs or Apple MDM push Certificate in Intune Please refer to the Link

4. Contacting the Server


The device receives the notification using APNs Service and contacts Intune

5. Delivering Content


Once the device is connected to Intune, the device will download and acts on the queued command, this can be deploying the device restriction, iOS updates, compliance policy, and when Intune wants to install an app it sends a push notification to the device, the device checks in and process an Install Application command and then fetches the actual app file from the App Store or a local network caching server.

Below are some of the Host, Ports, and protocols used while a device is setting setup for iOS

Host

Ports

Protocol

OS

Description

Supports Proxies

443

TCP

iOS, iPadOS, tvOS, and macOS

​Device Activation

Yes

443,80

TCP

iOS, iPadOS, tvOS, and macOS

Internet connectivity validation for networks that use captive portals

Yes

443

TCP

iOS, iPadOS, tvOS, and macOS

Yes

443

TCP

iOS, iPadOS, tvOS, and macOS

Yes

443,80

TCP

iOS, iPadOS, tvOS, and macOS

Yes

443

TCP

iOS and iPadOS

eSIM activation

-

443

TCP

iOS, iPadOS, tvOS and macOS

Yes

123

UDP

iOS, iPadOS and tvOS

Used by the device to set their date and time

-

123

UDP

iOS, iPadOS, tvOS and macOS

Used by the device to set their date and time

-

123

UDP

macOS only

Used by the device to set their date and time

-

Network access to the following hosts might be required for devices enrolled in Mobile Device Management (Intune)

Host

Ports

Protocol

OS

Description

Supports Proxies

*.push.apple.com

443,80,5223,2197

TCP

iOS, iPadOS,tvOS, and macOS

Push notifications

-

443

TCP

iOS, iPadOS, tvOS, and macOS

DEP provisional enrollment

-

443

TCP

iOS, iPadOS, tvOS, and macOS

-

443

TCP

iOS, iPadOS, tvOS, and macOS

Used by an MDM server to identify which software updates are available to devices that use managed software updates

Yes

443

TCP

iOS, iPadOS, tvOS, and macOS

APNs certificate request portal

Yes

443

TCP

​iOS, iPadOS, tvOS, and macOS

Hosts enrollment profiles are used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment

Yes

443

TCP

iOS, iPadOS, tvOS, and macOS

MDM servers to upload enrollment profiles are used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts

Yes

443

TCP

iOS and iPadOS

Required to log in with a Managed Apple ID on Shared iPad

-

443

TCP

iOS, iPadOS, tvOS, and macOS

MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device

Yes

Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.

Host

Ports

Protocol

OS

Description

Support Proxies

*.business.apple.com

443,80

TCP

-

Apple Business manager

-

*.school.apple.com

443,80

TCP

-

Schoolwork Roster service

-

22

SSH

-

SFTP uploads

Yes

443,80

TCP

-

Schoolwork Roster service

-

References

  1. https://support.apple.com/en-us/HT210060


77 views0 comments

Recent Posts

See All