TL;DR: Network admins can close outgoing ports 2195/2196 to Apple 17/A.
On 3/31/21, Apple will deprecate its binary based Push Notification system in lieu of an HTTP based system. The HTTP system will utilize port 443, our most common friend for secure internet traffic. By doing this, IT admins no longer need to make special requests to the network admins to allow “mysterious” traffic to Apple. In our IT admin world, this was a common request when we needed to make when setting up an on-premise MDM server. The MDM server would connect to apple with 2195 and 2196 for delivery and feedback of push notifications to devices. With an MDM, messages can be sent to Apple devices so that they will check in with their MDM server, and possibly receive a wipe command, request to install a new security profile, etc.
Apple developed its own “push” system as a way to communicate with Apple’s first smartphone – the iPhone – in 2007. Apple did not invent push technology, but it did “re-invent” it. A network push is a way that a server can connect to a client system, without the client requesting the data. How can a server find a client device on the internet within a sea of 10billion devices?? It doesn’t. You’ve been tricked. Push is play on words. In reality, the client device initiates a connection to a server and leaves it open. In the early days of the internet it would have been impossible to do because it would have been considered a waste of bandwidth. Only in an era of overflowing network capacity is it possible. In 2003 RIM used push technology so that enterprises could maintain a fleet of Blackberrys and provide near instantaneous email communication for their business employees. In this case, each organization needed to have its own server for clients to maintain a persistent connection to.
Apple Push Notification System (APNs) was first officially launched together with iOS 3.0 to 3rd party (non-Apple) developers in 2009. APNs effectively created an interconnected network between Apple mothership and all the Apple devices, regardless of whether they were behind corporate or school networks. It’s effectively a complete network zone, layered on top of internet communications that allowed Apple and app makers to send real time data to devices. Imagine thousands and thousands of gateway and courier servers provided by Apple “free of charge” to manage presence information for its billions of devices. To date, this network has been limited to sending very small payloads for the purpose of asking devices to “check-in” with some other server. One of the big win’s for Apple and app developers is that app’s don’t need to be running on the device each maintaining its own notification connection open. Imagine having 200 apps on your phone and 200 active open connections. By centralizing the most critical notification portion of the apps, you can save battery life of the device and keep things interconnected.
In 2015, HTTP/2 was officially published. With it came a redesign of its frames protocol allowing for efficient transport of data Apple was using with its own proprietary system. A migration for the fully proprietary system to a semi-proprietary system which leverages HTTP allows for some standardization and global optimization that may occur as a side effect. For 6 years, the APNs used both a computer-only binary (Apple only) and human-readable multiparty HTTP/2 system. The HTTP/2 version includes support for JSON web tokens among other modern forward-looking features.
On March 31, 2021, Apple will no longer support the legacy protocol. Old apps may break. From a network and IT admin standpoint, it means we only have to worry about port 443 and not make a custom requests to use port 2195 and 2196 on the network. Brick up those old holes.
As Apple admins, understanding APNs is critical to supporting organizations that manage Apple devices. All of our hosted MDM servers have migrated to the new protocol and we expect we’ll start to hear about “broken” MDM servers in the upcoming weeks.
Complete details on the APNs patent: http://patft.uspto.gov/
APNs developer reference: https://developer.apple.com/notifications/
Scott Morabito is a technologist and founder of TechTonic. He was trained as a computer scientist and resides in Concord MA.
