APNS and MDM: A technical update

Brad Chapman, a Jamf Certified Expert and veteran systems engineer, has supported mixed Mac/PC environments in multiple industries for more than 10 years. He works on a team of engineers managing more than 10,000 Macs and more than 40,000 PCs. He delivered this advanced-level presentation for "elite Mac admins" covering how APNs enable MDM, how MDM enables great experiences with Apple — and why you should care.

His movie-spoofing introduction left audience members in stitches, using Blade Runner-style scrolling text on the screen to introduce the main themes and styling Mac Admins as JAMF RUNNERS: part of a highly-trained, elite force searching out rogue devices. “This was not called policy execution,” read the ominous declaration, “it was called compliance.”

While this was all in fun, Chapman's message was all business: Apple push notifications have become absolutely essential for effective device deployment. And management strategies depend on them being able to communicate with APNS.

Before he got into the details, he did a quick summary from his last presentation on this topic in 2017:

He covered the 7 principles of APNS:

• Push notifications are small packets of data with instructions for a device.
• APNS uses Akamai Global Traffic Management for peak performance.
• APNS has multiple security factors for integrity and authenticity.
• APNS is required for secure delivery of configuration profiles.
• Devices expect a direct, persistent path to the Internet.
• You must permit outbound connections to Apple.
• Apple does not make inbound connections.

APNS hosts and ports

The original 16 endpoints are still active, said Chapman, so there is a grand total of 32 points of presence that results in 2000 IP addresses.

Rules of the road

• Apple still owns 17.0.0.0/8
• Apple services uses certificate pinning to ensure that secure connections haven’t been altered or decrypted and remain private. Apple with reject that connection.
• Jamf uses APNS binary (2195-2196)

Hosted outside 17.0.0.0/8:

• Init bag files
• Software CDNs
• OCSP Cert Validation
• others

After bringing the packed audience up to speed, Chapman shared some big news about APNS: Binary protocol ends November 2020! Plan accordingly.

Apple wants everyone to move to HTTP/2-based API, which will allow:

• High speed, parallel processing
• Improved error handling
• Per-notification feedback

What’s new for Mac?

Brad outlined 10 key developments in the last two years that have dramatically altered the landscape of Mac management and how institutions regard Apple as a secure computing platform.

• T2 Secure Boot: The T2 is an incredibly complex and powerful coprocessors that provides a secure storage and boot facility, realtime encryption, hardware management, and more. Data is always encrypted at rest, even if FileVault is not enabled. Without FV2 enabled, anyone could boot to Recovery Mode and read the contents of your disk. Secure Boot ensures that a valid, signed copy of MacOS is installed on the boot drive. Signatures must be validated by Apple at the time of installation. Strict Boot security = full security, external media disallowed.

• Requires local admin user to modify
• Uakel: kexts blocked by default
• User has 30 min. to approve
• Whitelisting requires approval

Chapman explained how it used to work:

UAMDM: Admin tested; user approved. MDM had to be approved manually, and could not be clicked remotely. As a result of this change, EVERY MDM vendor had to adjust their enrollment process and documentation.

But Institutions wanted a way to manage more than one MDM solution /workflow. Phones, Macs, AppleTVs, etc…

Enter Apple Business Manager and Apple School Manager!

• Replaces Device Enrollment Program
• Automated Device Enrollment
• Multiple tokens / pre-stage workflows
• MDM Profiles are user-approved

TCC + PPPC

• Users prompted once by every app requesting specific permissions.
• Whitelist with user-approved MDM profile
• Jamf updates often to support new TCC permissions

Remote Desktop

Now, says Chapman, the Kickstart command no longer works. Additionally, control and observe was removed during the 10.14 beta cycle.

AppleSeed for IT

This used to be invite-only, explained Chapman, and only accessible using a personal ID. Now institutions can easily add their own testers via ABM / ASM.

Industrial strength

• ISO 27001:2013 infosec management systems
• ISO 27018:2019 Cloud / PII

Apple’s public facing services are certified: iCloud, iMessage, FaceTime, Siri, Apple Push Notification Service, Apple School Manager, Apple Business Manager, Apple Business Chat, iTunes U, Schoolwork, Managed Apple IDs

macOS Catalina

Chapman outlined important features Catalina brought admins:

• App Notarization
• Mac supervision
• New TCC & Notification controls
• Activation Lock for T2 Macs only
• MDM can only bypass if Mac is supervised

See for Yourself

Before you start having conversations with higher-ups about upgrading Mac, says Chapman, gather data to bolster your point with one of these analysis tools:

Little Snitch

• Exclusively for Mac : obdev.at
• Rich UI with powerful filtering
• Checks app code signatures
• PCAP: Individual apps / services
• OSI layers 3-7

Pi-Hole

• Ultra-compact DNS server
• Built for the Raspberry Pi platform
• Also works on VMs and Dockers
• Great for SoHo & test networks
• Black + white lists, detailed logging
• Free & Open Source: pi-hole.net

Wireshark

• The ultimate packet inspector
• Captures all traffic on an interface
(OSI Layers 2-7)
• Detailed analysis & export functions
• Can be overwhelming at first: look online for cheatsheets or Intro to Wireshark for help.
• Free & open source: www.wireshark.org
• Chapman told viewers that sometimes the graphic user interface bogs down during long, heavy sessions, and suggests command line tools: 
/Applications/Wireshark.app/Contents/MacOS/
• dumpcap -D
• dumpcap -i en# [-w outfile]
• editcap -c ### infile outfile

Chapman offered a live demonstration of Wireshark capturing all traffic of a local computer. The amount of information it captures is astounding; it shows basically everything that is happening with the computer. Wireshark can run a report with all DNS records, but to make sense of what you've pulled, he suggests that you filter it and export to a .csv file.

Remember that Akamai is a content distribution network, warns Chapman. Follow DNS and whitelist accordingly:

*.akamaiedge.net
*.edgekey.net
*.edgesuite.net

Apple Push Notifications: HT210060

"If you leave today with only one article," said Chapman, "this is the one to read." HT210060 contains a very complete list of hostnames and ports used by Apple devices, and a description of most services. It also mentions APNS and SSL termination.

If you still need some help with a proof of concept test on your network, you might want to try MacEval Utility. It studies a network’s readiness to deploy and manage Apple devices and offers a concise report with action items. Contact an Apple SE for details.

With APNS, Chapman told the gathering, here is what's possible:

• Automatic enrollment & supervision
• Rapid deployment of apps
• Delightful user experiences

How about without APNS?

"Houston," said Chapman, "we have a problem."

Impacted workflows:

• Auto Device Enrollment; when a device can’t reach activation servers…
  • Macs can skip remote management
  • Not enrolled & unsupervised
• Manual enrollment
  • Will fail because APNS is not reachable in your environment
  • Security policies and config profiles
    • Enforced with profiles
    • Triggered by APNS
  • Sideloaded profiles are not trusted
  • Restrictions on computer actions, iCloud, Preference Panes…
  • FileVault configurations and key escrow
  • Special overrides only available via supervision
  • Kernel extension whitelisting
• Software updates
  • T1 / T2: BridgeOS validation fails
  • Can’t defer or force software updates
  • macOS updates cannot be verified
  • No background + critical updates
• Management actions
  • Enable / disable:
    • Remote desktop
    • Bluetooth
  • Remote lock and wipe
  • Override Activation Lock
• User experience
  • Can’t manage privacy / notifications
  • No Self Service notifications
  • No remote notifications
• Cloud Services
  • No VPP / App Store
  • No FaceTime or iMessage
  • No Continuity
  • Return to service
  • Manual enrollment: Mac installs profiles, yet fails to validate via APNS. Enrollment fails
• Return to Service
  • macOS (Internet) Recovery
  • 802.1X / RADIUS not supported
  • Wi-Fi: WPA2-PSK or Open
  • External DNS resolution
  • No proxies or SSL decryption
  • Consider a limited ‘deploy’ SSID

That's a lot of calamity! It's essential for admins to network with others in their organizations who are strong Mac advocates to help make the case for APNS.

What if Microsoft asked you to prepare for a Windows Notification Service?

They did … in 2011.

WNS Overview

Firewall + Proxy Configuration

IP addresses for MPNS + WNS

A Warning: If you don’t make changes to your network, Jamf + Apple may be unable to support you.

Prepare your institution

Chapman suggested that the audience read Apple’s knowledgebase article HT210060, and recommended it as a great place to start those tough conversations with the network and information security teams about how to trust Apple.

Think globally, not locally

Use MDM to set a baseline security posture. The organization should invest in its people with continuing security education. Continue to monitor traffic at the perimeter and log network application access. Avoid local security agents on the device to minimize impact on performance and battery life.

Why care about MDM?

• Consistent, delightful experiences
• Streamlining support model for IT staff. The less variables they have to worry about, the better they can serve
• Empowering end users
• Simplifies support for help desk and field technicians. They can make reliable assumptions and eliminate many unknown during troubleshooting. By giving your users self-service tools and setting consistent expectations on the Mac platform, the technology just gets out of the way and allows employees to focus on making their best work.

As you craft your information and security policies, remember the human. Assume good intent.

"Remember," Chapman said, "People are awesome."

Additional reading and resources

Apple: MDM Settings for IT Administrators

Apple: Mac Deployment Overview

Apple: WWDC 2019 Session 303
What’s new in Managing Apple Devices

A Deep Dive into macOS MDM,
 Jesse Endahl and Max Bélanger

Apple Device Management
, Charles Edge and Rich Trouton

Ceremony:

Inspired by DEPNotify and Splashbuddy

GetCeremony.app

Slack: #ceremony

Demo: GitHub Gallery @ JNUC