Can mobile devices communicate with APNs without port 5223?

jonathanwilson
New Contributor II

Our JSS is managing iPad kiosks in several buildings on our campus. For convenience/reliability, they all connect to the campus guest network, which is only open to ports 80 and 443. Last week, they all stopped updating inventory and didn't respond to remote commands, but they were still connected to the internet. My thought was "hey, it can't communicate with APNs!" and started looking into it. We ended up rebooting our JSS and that's when they all started checking in. I'm trying to clarify what might have happened, so I have a few questions:

1a) For mobile devices to update their inventory, the JSS is sending a command over APNs every time, whether it's the regularly scheduled update, or a manually triggered one, correct? In other words, if our JSS couldn't connect to APNs, updates would have stopped? (however, some of our mobile devices did check in during this "blackout" period)

1b) Even if the JSS couldn't communicate with APNs, our computers would still check in, because that has nothing to do with APNs, correct?

2) Can mobile devices communicate with APNs over only port 443? How would they handle port 5223 not being available?

3 REPLIES 3

scott_borcherdt
New Contributor II

In answer to question 2: https://support.apple.com/en-au/HT203609

TCP port 443 is required during device activation, and afterwards for fallback (on Wi-Fi only) if devices can't reach APNs on port 5223.

ericbenfer
Contributor III

To put this a plainly as possible, Apple devices should have unmolested outbound access to the Apple network (17.0.0.0/8) over TCP ports 80, 443, and 5223. Your JSS will also require outbound TCP ports 2196 and 2196.
APNS cannot be proxied.

jonathanwilson
New Contributor II

Thanks for the feedback! @scott.borcherdt - that's the article I needed to see! Thought I was going crazy...
I'd still like to confirm my 1a question about when devices run inventory, but I'm pretty sure the answers are "yes". I hate to chalk our problems up to server wonkiness, but I think I've dug into this as much as I can.