Justin Rummel

Father, husband, Apple enthusiast. šŸŠ šŸš“ šŸƒ with #speedsherpanation, #fxckcancertriteam, and #bikelaw

How APNS works with MDMs that manage OSX and iOS

Classic Environment

  • ā€œWorkā€ location where your MDM (CasperSuite JSS in this example), and other internal servers may exist.
  • ā€œHomeā€ location because people take their equipment home and still do work from the comforts of their couch.

APNS Workflow

This is where the magic happens!

You as the OS X and/or iOS Administrator want your devices to do something. It may be install a Configuration Profile to ā€œlock downā€, OR provide a feature such as Email configuration, Wi-Fi Access, or something elseā€¦ but you want it down NOW! You login to your MDM management page/console, select what devices you want to perform some action. At that point, your MDM does the following:

  • Communicate to Appleā€™s Push Notification Servers (APNS) over ports 2195, and 2196 to ā€œFIND MY DEVICESā€.
  • Your devices are already connected to APNS once they turn on, they have Internet connection, AND port 5223 is not blocked. When your device does connect to Appleā€™s APNS network, it gets a token.
  • Itā€™s this token that allows Appleā€™s APNS network to find and talk to your devices through your firewall. They key element is when APNS push commands are sent, the only bits of information in the payload from Apple is ā€œHEY Device! Talk to your MDMā€ and nothing else. That is where APNS stops being the middle man and letā€™s a secure communication take over between your devices and MDM only.
  • Once the devices received that command, they will then talk to your MDM over their designated port for the next set of commands you wish to execute from the MDM. In my example commands are sent over port 8443 as this is the port for the Casper Suite (but it may be 443 for other MDMā€™s such as Profile Manager).
  • Your devices then do whatever your MDM requests.

Examples

Some examples that the JSS can do to help manage your OSX environment include:

  • Request to get Software Updates from your Internal SUS over port 8088
  • Install packages from an SMB (445) or AFP (548) FileShare
  • Install packages from an HTTP (80) or HTTPS (443) server.Ā 1
  • Force NetBoot, but Iā€™m not going into the port numbers for that as there are too many.

Sources

Footnotes

  1. Be sure your Certificate on your HTTPS distribution point is signed by a third-party OR that your internal ROOT CA is already installed on your client machines.Ā 

Comments are closed. If you have a question concerning the content of this page, please feel free to contact me.

Policies 101-Unleash the Power!

Policies 101-Unleash the Power!

For those who wanted a copy of my Policies 101: Unleash the Power! talk at JAMF Nation User Conference 2014, here are links to the slides in PDF and Keynote format.