Jamf Nation Community

JPDyson:

Thanks for the feedback. I'd like to see official documentation because I have to go in front of a change management board to justify the changes to our firewall. I want to have more to back it up than "some guy on his blog" ;). I assumed that " That is where APNS stops being the middle man and lets a secure communication take over between your devices and MDM only." meant once it was associated with the MDM it wouldn't need to talk to the APN's again to receive updated information, that they would talk directly. Obviously I was mistaken as testing has shown this to be untrue. Misinterpretation on my part. Regardless, I still need official documentation to back up my request.

For example this:
http://support.apple.com/kb/TS4264?viewlocale=en_US&locale=en_US
States "TCP port 5223 (used by devices to communicate to the APNs servers)". So I tell this to the board and they say "what data is communicated? I don't see anything in the article regarding that." Me: 'JPDyson' on a forum and 'Justin' on his blog says it sends "xyz". Them: "... .. . OK, we'll consider. That will be all." *subtext: not credible sources at all and that you think we would consider them to be means you are completely under-qualified for your position. You should be fired or demoted. You certainly won't be taken seriously anymore and don't hold your breath on a raise.* Then later I'd catch hell from my boss.

;-)

How about this.
https://developer.apple.com/library/ios/technotes/tn2265/_index.html

nessts:

Thanks for the link. I'll look at it more closely but at first blush it conflicts with the "JSS PortsTotal.pdf" which states: 2195 The port used to send messages from the JSS to Apple Push Notification service (APNs). *Outbound from the JSS
2196 The port used by the JSS to connect to APNs for feedback. Outbound from the JSS*

But the dev article states:
Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 2195. To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196.

No official information in the dev article about what the feedback service does.

The article is helpful, but not entirely:)

This rabbit hole goes as deep as you need it to. https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9 https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/CommunicatingWIthAPS.html#//apple_ref/doc/uid/TP40008194-CH101-SW1

I think that might be exactly what I am looking for. May take me some time to review it! Thanks for the info.

I spent some time a while ago reading through the Apple developer APNS pages. I ended up setting up a test server, client and firewall and monitored what was going on. Not sure if it helps but this is the request I normally send to the "firewall / networking people" when I need to add APNS functionality to a corporate network:

- TCP port 2195 outbound from the JSS to 17.0.0.0/8 (Apple class A subnet). This enables the JSS to send remote commands and notify clients that there are configuration profiles available. - TCP port 2196 outbound from the JSS to 17.0.0.0/8. This enables the JSS to get feedback on the status of APNs notification commands. - TCP port 5223 outbound from the LAN (Apple clients) to 17.0.0.0/8. This lets the clients establish a persistent connection with the Apple APNs system and receive push notifications. - TCP port 8443 from outside the network (any) to the JSS. This allows clients outside the LAN communicate with the JSS. - TCP port 1640 from outside the network (any) to the JSS. This lets clients enrol with the JSS and receive dynamically generated certificates (SCEP).

Friendly comments welcome!

davidavland:

Excellent information!