If you’re new to Apple, the Apple Push Notification service or APNs may be a foreign concept. With Apple’s expansion in enterprises around the world, you’re likely seeing a growth in Apple adoption at your organization, or at a minimum, receiving requests for it.
This is exciting but can also be a little scary if you’re traditionally a Windows shop that now has to support, secure and manage Mac. We can help ensure your Apple implementation is a success by explaining some basic Apple concepts.
How does Apple differ from Windows management?
The key to Apple’s ease of use is its built-in management framework known as mobile device management (MDM). MDM allows IT to build configuration profiles that manage various settings inside of an operating system. These profiles are delivered over the air via APNs.
APNs was introduced with iOS 2 and the App Store as a way for third-party apps to send notifications without users needing to keep apps running. All app developers would send notifications to Apple, who would pass those notifications on to devices. APNs is a secure and highly effective service for propagating information to Apple devices.
This framework was later adopted to support the introduction of MDM. This ensures IT doesn’t have to maintain that constant connection to Apple devices.
As a critical layer for Apple deployment programs, security features and MDM, APNs is required because these capabilities cannot be leveraged through a proxy connection.
They must be accessed through a direct, secure channel with Apple, i.e., APNs.
Apple is one of the few companies who owns an entire block of IP addresses. They specifically own the entire 220.127.116.11/8 address range, validated by ARIN here. All communication via APNs takes place via this address range. Apple recommends whitelisting that entire range in your firewall to ensure proper communication from devices. Apple provides more details about the specific TCP ports used for communication here: https://support.apple.com/en-us/HT203609
Apple recommends that all managed devices communicate to Apple across an unproxied connection because Apple utilizes SSL certificate pinning now to block man-in-the-middle attacks on the SSL connection.
What are the benefits of APNs?
- Enhanced security posture for managing corporate-owned Apple assets. APNs allows you to remotely lock/wipe a lost/stolen/compromised device over the air.
- MDM is dependent on APNs for sending critical commands such as software installations or inventory updates.
- While MDM configuration profiles can be delivered to macOS “offline,” this method requires significantly more overhead than managing over the air.
- APNs allows each device to automatically check-in with the MDM server and receive any commands IT sends.
Will Google and Microsoft follow suit?
Many Google and Microsoft services are beginning to require the same level of trust and direct connection as APNs. Both of those companies have set up their own cloud notification service that maintains connections to their devices, so IT needs to embrace those services as well. APNs is critical to security and user experience. Services like App Store, iCloud Authentication and Internet Recovery won’t fully function (or not at all) without APNs. For security and proper management of your Apple devices, make sure APNs works on your network.
If you want to learn more about APNs or securing Apple, read our Security Considerations for Apple in the Enterprise white paper. We consulted enterprise IT experts to answer:
- What security features are unique to Apple
- What to consider when adding new Apple devices
- What Apple integrations are currently available