Posted on 10-09-2012 01:35 AM
We identified an issue with Push notifications on Mountain Lion clients. We have seen that machines try to communicate with init-p01st.push.apple.com and this address resolves to an Akamai IP.
Until we have this connection established we don't get our push notifications to the clients.
init-p01st.push.apple.com uses Akamai DNS and it doesn't resolve to 17.0.0.0/8 range from our location. Apple Technical Note N2265 says that they use 17.0.0.0/8 range for APNs but it seems it is not in this range.
we have an authenticated internet system in place and need to exempt this.
Does anyone know what's the role of this init-p01st.push.apple.com host and its communication between OS X clients?
Posted on 08-22-2017 10:59 AM
Hello @Kumarasinghe and Jamf Nation,
I couldn't be more thrilled to update this ancient topic because I'm giving a presentation at JNUC 2017 on the inner workings of APNS. The "init" server is one of many different items that will be explained during the session.
The iOS or Mac device doesn't query the init server after every network transition, but it does appear to check init at least once every 24 hours.
A simple Wireshark packet capture reveals that the Mac daemon apsd will perform an HTTP/1.1 GET from this URL over standard http:
http://init-p01st.push.apple.com/bag
This downloads a file called "bag" to the computer. It's a plain-text Property List (.plist) file with file with three keys, whose contents are also base64-encoded. The keys are named as follows: key, certs, and bag.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>signature</key>
<data>fn4uYs7OGTxe1dFgQqPAFGrhIlJouk1qURhL4f2lMEvUE2ObzG7DyO1gS9+bMc1vCoi69IPlf7EFOd0MsBk5aIGAPkn9kEMUSy4y0luO6HGNynGwQmpU0WhbcoGLieJVgsD7S4vs5I2C75EST/+0qir81kQYkYdSwSi0Sh5wV1kUDNPHKGX9/SIVUN8QwaVan0RhgNUT4V1eqQl1XlZkyXud3e80Q09stv+e4cee0x9YrpQXxXd5Qzl1brpNJn+B1gvMGj9iI04MBlMkozl1Mu22lhiVPsUU4YqYzUlqwkHQNkegyfoDRrO5U8mrDtdXeRu1r2lL1ld/4KoktSFCSw==</data>
<key>certs</key>
<array>
<data>MIIFPzCCBCegAwIBAgIMWCvLDwAAAABQ1d47MA0GCSqGSIb3DQEBCwUAMIG6MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMB4XDTE1MTAyODIwMjQ0OFoXDTE3MTAyODIwNTQ0N1owbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCUN1cGVydGlubzETMBEGA1UEChMKQXBwbGUgSW5jLjEiMCAGA1UEAxMZaW5pdC1wMDFzdC5wdXNoLmFwcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANhghU4f2/pFuZj/60r9XBh1eBl2bWhYYzBrwub7M6ELAIVrOgnT7v+EW62NrHq19dBeh46EM1e/TPd2WcnfLSz3BJ5KtsZAGdU0U2TYigHnsX1tq0slaL8m+jbsUm2GorCLXd/uDfoDqkeqAzh4z5rAsfd3oL2/x1N57hzc1nTBIabBQ0to+bmYVAnf/+Ww3gH19aeVuqlNbhtVkHiWHwONeBlggHOcx0K+ejydi0vcQ71pB/6/cYdwTREWAmCdnHEQrTjrBgbcTnObrHZTgLUwKKiTbSbyHZ/xjaagDiI0dsmsOjjttRUS+PeBUUbJbhbD2PS1g/NxsYOg6+5KRB8CAwEAAaOCAY0wggGJMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG+mwKAQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFrLWNoYWluMjU2LmNlcjAkBgNVHREEHTAbghlpbml0LXAwMXN0LnB1c2guYXBwbGUuY29tMB8GA1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBQ/1IpzhIFq0PUQ1+0HZXXOaoSl8TAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCt1RPDUt+fGrkIMDg9+X+s9xbvYPL0wFyh6vrRdeTJESxd2YsxrRzMtw+N3i+SQGmk9mN24wj8vfrYJvdOe9xznslxd5AAR1C2PiGpkpMzBZSbcQQ/ibo4xa+PPRL1OxC+0Ptr/4o6Wd4n/tBACOCo6IYWcpBmH7FoiFLjhv0ypsgwvmIEls9ZqrBtFEkA5ki/22D4c8N6K/ZzPfAwkRlgwEQyE6oOPcSc/MgGtS8gjzs0QCVRdcew+WBES6lvAgd1yQI7foiU6mwlqzxiiAnYNOPGdQi6tS18OX6ZNkT8yeBvvuEQNv62rl8a+U/qwJ1BBE1kH7s1v1axOnJImkyQ</data>
<data>MIIE/jCCA+agAwIBAgIEUc4A/jANBgkqhkiG9w0BAQsFADCBtDEUMBIGA1UEChMLRW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0xNDEwMTAxNTIzMTdaFw0yNDEwMTEwNjIyNDdaMIG6MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQjUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiKm95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhTJbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBtLOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0FASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDjCCAQowDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmVudHJ1c3QubmV0LzIwNDhjYS5jcmwwOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMB0GA1UdDgQWBBSConB03bxTP8971PfNf6dgxgpMvzAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDANBgkqhkiG9w0BAQsFAAOCAQEAWEJxwT4pFm51WHe1ZU2eKfWuCxwY+aMIQ3XvfW3xkur+zmhc4h++pa8aTKqDO1+iR0b3fJ7Bg8R6JLDpzOmimgcJ6B4dd1ZJ/FNzqEfMyS1aYDSnGgvlK7jf74JK3XBeEBgIO13cioQ9aNgAtMSeQ3hLXvBiaoyQZlOKrMV9WP9Oqa3XpMoSRynl8yIhQDJg2jr+klQeQ6ENqVI3YL+HxKHHeNWHHuV3419b3HFtukSHMQWAWAvF3nQogYMIhNDIRlr+isa9qQ47ZHhtJtw8TPeBXDwRfyU6k2Klo5EFJSNztM3OzDmkA3gwZkZeqXWwtGcDqbGfV/DTds/hk+iAog==</data>
</array>
<key>bag</key>
<data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8IURPQ1RZUEUgcGxpc3QgUFVCTElDICItLy9BcHBsZS8vRFREIFBMSVNUIDEuMC8vRU4iICJodHRwOi8vd3d3LmFwcGxlLmNvbS9EVERzL1Byb3BlcnR5TGlzdC0xLjAuZHRkIj4KPHBsaXN0IHZlcnNpb249IjEuMCI+Cgk8ZGljdD4KCQk8a2V5PkFQTlNDb3VyaWVySG9zdG5hbWU8L2tleT4KCQk8c3RyaW5nPmNvdXJpZXIucHVzaC5hcHBsZS5jb208L3N0cmluZz4KCgkJPGtleT5BUE5TQ291cmllckhvc3Rjb3VudDwva2V5PgoJCTxpbnRlZ2VyPjUwPC9pbnRlZ2VyPgoKCQk8a2V5PkNsaWVudENvbm5lY3Rpb25SZXRyeUF0dGVtcHRzPC9rZXk+CgkJPGludGVnZXI+MTAwPC9pbnRlZ2VyPgoKCQk8a2V5PkFQTlNDb3VyaWVyU3RhdHVzPC9rZXk+CgkJPHRydWUvPgoKCQk8a2V5Pm1pbkNvbnNlY3V0aXZlS2VlcEFsaXZlc01haW50YWluaW5nV2lGaUNvbm5lY3Rpb248L2tleT4KCQk8aW50ZWdlcj4xMDwvaW50ZWdlcj4KCgkJPGtleT5taW51dGVzRGlzYWJsZVN3aXRjaGluZ1RvV2lGaUZyb21DZWxsdWxhcjwva2V5PgoJCTxpbnRlZ2VyPjE1PC9pbnRlZ2VyPgoKCQk8a2V5PkFQTlNOdW1iZXJPZkNyaXRpY2FsTWVzc2FnZUtlZXBBbGl2ZXNCZWZvcmVEaXNjb25uZWN0aW5nPC9rZXk+CgkJPGludGVnZXI+MzwvaW50ZWdlcj4KCgkJPGtleT5BUE5TQ3JpdGljYWxNZXNzYWdlS2VlcEFsaXZlVGltZXJEdXJhdGlvbjwva2V5PgoJCTxyZWFsPjEwLjA8L3JlYWw+CgoJCTxrZXk+QVBOU0NyaXRpY2FsTWVzc2FnZVRpbWVvdXQ8L2tleT4KCQk8cmVhbD4xMC4wPC9yZWFsPgoKCQk8a2V5PkFQTlNXV0FOVHJhY2tlZExpbmtRdWFsaXR5VGltZUludGVydmFsPC9rZXk+CgkJPHJlYWw+NjAwLjA8L3JlYWw+CgoJCTxrZXk+QVBOU1dXQU5UcmFja2VkTGlua1F1YWxpdHlPZmZUcmFuc2l0aW9uczwva2V5PgoJCTxpbnRlZ2VyPjI8L2ludGVnZXI+CgoJCTxrZXk+QVBOU0FXRFNsb3dSZWNlaXZlVGhyZXNob2xkPC9rZXk+CgkJPHJlYWw+NjAuMDwvcmVhbD4KCgkJPGtleT5BUE5TTG93UHJpb3JpdHlNZXNzYWdlQmF0Y2hTaXplPC9rZXk+CgkJPGludGVnZXI+NTA8L2ludGVnZXI+CgoJCTxrZXk+QVBOU0FjdGl2ZUludGVydmFsPC9rZXk+CgkJPGludGVnZXI+NTwvaW50ZWdlcj4KCgkJPGtleT5BUE5TRm9yY2VkU2hvcnRUaW1lb3V0SW50ZXJ2YWw8L2tleT4KCQk8cmVhbD4yLjA8L3JlYWw+CgoJCTxrZXk+QVBOU0Nvc3REcml2ZW5EdWFsQ2hhbm5lbEF0dGVtcHRzPC9rZXk+CgkJPGludGVnZXI+MTAwPC9pbnRlZ2VyPgoKCQk8a2V5PkFQTlNQaWdneWJhY2tEdWFsQ2hhbm5lbEF0dGVtcHRzPC9rZXk+CgkJPGludGVnZXI+NTA8L2ludGVnZXI+CgoJCTxrZXk+QVBOU01heGltdW1Mb3dQcmlvcml0eUJhdGNoZXNQZXJIb3VyPC9rZXk+CgkJPGludGVnZXI+MzwvaW50ZWdlcj4KCgkJPGtleT5BUE5TRGlzYWJsZUNvc3REcml2ZW5EdWFsQ2hhbm5lbDwva2V5PgoJCTxmYWxzZS8+CgoJCTxrZXk+QVBOU0xvd1ByaW9yaXR5QnVyc3RXaW5kb3c8L2tleT4KCQk8cmVhbD4zMC4wPC9yZWFsPgoKCQk8a2V5PkFQTlNMb3dQcmlvcml0eUJ1cnN0RGVsYXk8L2tleT4KCQk8cmVhbD4xMjAwLjA8L3JlYWw+CgoJCTxrZXk+QVBOU0xvd1ByaW9yaXR5QnVyc3RTZW5kUHJvYmFiaWxpdHk8L2tleT4KCQk8cmVhbD4wLjg8L3JlYWw+CgoJCTxrZXk+S2VlcEFsaXZlVjJUaW1lRHJpZnRNYXhpbXVtPC9rZXk+CgkJPGludGVnZXI+MDwvaW50ZWdlcj4KCgkJPGtleT5LZWVwQWxpdmVWMlRpbWVEcmlmdE1heEFsbG93ZWQ8L2tleT4KCQk8aW50ZWdlcj4zMDwvaW50ZWdlcj4KCgkJPGtleT5BUE5TSVBDYWNoaW5nVFRMTWludXRlczwva2V5PgoJCTxpbnRlZ2VyPjE0NDA8L2ludGVnZXI+CgoJCTxrZXk+QVBOU0lQQ2FjaGluZ1BlcmNlbnRhZ2U8L2tleT4KCQk8aW50ZWdlcj4wPC9pbnRlZ2VyPgoKCQk8a2V5PkVudmlyb25tZW50PC9rZXk+CgkJPHN0cmluZz5Qcm9kdWN0aW9uPC9zdHJpbmc+CgoJCTxrZXk+QVBOU05hZ2xlRW5hYmxlZDwva2V5PgoJCTxmYWxzZS8+CgoJCTxrZXk+QVBOU01pbmltdW1JbnRlcnZhbEZhbGxiYWNrRW5hYmxlZDwva2V5PgoJCTx0cnVlLz4KCgkJPGtleT5BUE5TSVBDYWNoaW5nVFRMTWludXRlc1YyPC9rZXk+CgkJPGludGVnZXI+MTQ0MDwvaW50ZWdlcj4KCgk8L2RpY3Q+CjwvcGxpc3Q+Cg==</data>
</dict>
</plist>
The "key" is most likely a private key file.
The "certs" are standard SSL certs. One is issued by Apple; the other by Entrust.
The "bag" is a Base64-encoded property list file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>APNSCourierHostname</key>
<string>courier.push.apple.com</string>
<key>APNSCourierHostcount</key>
<integer>50</integer>
<key>ClientConnectionRetryAttempts</key>
<integer>100</integer>
<key>APNSCourierStatus</key>
<true/>
<key>minConsecutiveKeepAlivesMaintainingWiFiConnection</key>
<integer>10</integer>
<key>minutesDisableSwitchingToWiFiFromCellular</key>
<integer>15</integer>
<key>APNSNumberOfCriticalMessageKeepAlivesBeforeDisconnecting</key>
<integer>3</integer>
<key>APNSCriticalMessageKeepAliveTimerDuration</key>
<real>10.0</real>
<key>APNSCriticalMessageTimeout</key>
<real>10.0</real>
<key>APNSWWANTrackedLinkQualityTimeInterval</key>
<real>600.0</real>
<key>APNSWWANTrackedLinkQualityOffTransitions</key>
<integer>2</integer>
<key>APNSAWDSlowReceiveThreshold</key>
<real>60.0</real>
<key>APNSLowPriorityMessageBatchSize</key>
<integer>50</integer>
<key>APNSActiveInterval</key>
<integer>5</integer>
<key>APNSForcedShortTimeoutInterval</key>
<real>2.0</real>
<key>APNSCostDrivenDualChannelAttempts</key>
<integer>100</integer>
<key>APNSPiggybackDualChannelAttempts</key>
<integer>50</integer>
<key>APNSMaximumLowPriorityBatchesPerHour</key>
<integer>3</integer>
<key>APNSDisableCostDrivenDualChannel</key>
<false/>
<key>APNSLowPriorityBurstWindow</key>
<real>30.0</real>
<key>APNSLowPriorityBurstDelay</key>
<real>1200.0</real>
<key>APNSLowPriorityBurstSendProbability</key>
<real>0.8</real>
<key>KeepAliveV2TimeDriftMaximum</key>
<integer>0</integer>
<key>KeepAliveV2TimeDriftMaxAllowed</key>
<integer>30</integer>
<key>APNSIPCachingTTLMinutes</key>
<integer>1440</integer>
<key>APNSIPCachingPercentage</key>
<integer>0</integer>
<key>Environment</key>
<string>Production</string>
<key>APNSNagleEnabled</key>
<false/>
<key>APNSMinimumIntervalFallbackEnabled</key>
<true/>
<key>APNSIPCachingTTLMinutesV2</key>
<integer>1440</integer>
</dict>
</plist>
The only mystery is why the init servers aren't hosted within 17.0.0.0 / 8, as Apple has more than enough IP addresses to spare.