0

What: Need a network timing diagram showing the TCP ports and direction of communications (who does initial SYN to whom) between Mobile Device Management (MDM) server, the Apple Push Notification Server (APNS) and the client iOS device.

Why: In resolving our organization's inability to open TCP ports outbound from the corporate infrastructure to Apple's IP address range per Apple, I find it necessary to have documentation on the flow control of various runtime aspects of the Apple Push Notification Service/Server (APNS).

How: The intent is to explain how blocking access to some of the Apple 17.0.0.0/8 address range will cause seemingly random operational failures in the interaction between the MDM/APNS/iOS device during enrollment, push of profiles, device check-in, and otherwise. Documentation at Apple has been much too high level or pure-text descriptions that can't be used in "mixed company" (deep technical and director level).

Cerniuk
  • 14,220
  • 2
  • 29
  • 27
  • 1
    The ports are listed [here](https://support.apple.com/en-us/HT203609) (I assume you have already seen that document). Connections are always made from the client to Apple's servers. eg Your MDM server will connect to the Apple APNS server on port 2195 to send the push messages. iOS (and macOS) client devices connect to Apple's servers just after they boot and try to maintain a persistent connection to those servers on port 5223 over WiFi or cellular in order to receive APNS messages. Apple's servers never initiate a connection to a client. – Paulw11 Oct 02 '18 at 21:47
  • Yes, and I [have this too](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1) (been working with Apple) but it still does not draw this out in a "here is where the comms go boom" sort of network timing diagram – Cerniuk Oct 02 '18 at 21:58
  • I don't know what you mean by a "timing diagram". There is no specific relationship between the establishment of sessions between the push sender and the push receiver. The push sender establishes a session whenever they need to send a push (or they may re-use an existing session as per standard HTTP/2 protocols). The push receiver establishes a session as soon as it can after boot. When a push is sent to the receiver it is delivered over TCP using that already established session. – Paulw11 Oct 02 '18 at 22:01
  • 1
    For push notifications to be received reliably, Apple devices must always be able to connect to 17.0.0.0/8 on port 5223. Devices will prefer a cellular connection even if WiFi is available for this session in order to avoid potential firewall issues; It is implied in the document I linked to earlier and described in detail [here](https://developer.apple.com/library/archive/technotes/tn2265/_index.html) – Paulw11 Oct 02 '18 at 22:03
  • @paulw11 something like this: [Network Timing Diagram](https://i.stack.imgur.com/Gs0Tj.png) but with port documentation "TCP port 5223" on a given connection line. I am familiar with the constraints of the connections and firewalls / proxies in-between but it is good to have it in the notes here for others so thanks for that. – Cerniuk Oct 07 '18 at 14:52
  • 1
    I know what a network timing diagram *is*, but I don't think you will find one. You will need to draw your own. Essentially if a device can't connect to 17/8 on 5223 it can't receive push notifications. If the device has a cellular connection your firewall isn't involved though. The device connection isn't time-based, it is continuous. A push payload will be sent over the existing session after your server delivers it to Apple's server – Paulw11 Oct 07 '18 at 18:40
  • @Paulw11 it is becoming apparent that I’m going to have draw my own for the given sub-states of APNS interaction. Very aware of how to break APNS interaction as our organization forced me to analyze how we (*they*) broke it. In massive organizations, it is hard to get the *they* to recognize their errors and fix them... this is exactly that case. – Cerniuk Oct 14 '18 at 14:33

0 Answers0