Apple push notifications don't work in Meraki mobile device management

Article #: Product Castle
1783 Guardian All

Summary

Apple Push notifications in Meraki Mobile Device Management Software do not work

Problem

This software does not fully support the use of a proxy; you will need to add some domains and IPs to Guardian.

The issue is not with the Meraki software, but rather with Apple push notifications:

  • The applepushserviced first does a DNS TXT query for push.apple.com[ nslookup -query=txt push.apple.com]
  • This will return count=50 or some other number (n). The daemon then creates a name using a number between 1...n and creates DNS name n-courier.push.apple.com.
  • This DNS name is then handled by Akamai DNS to return an IP address in the 17.nnetblock that belongs to Apple.

The Smoothwall is seeing in the URL request: courier.push.apple.com not, for example, 34-courier.push.apple.com. The certificate presented by https://34-courier.push.apple.com does not have a wildcard certificate and the certificate says it's only valid for courier.push.apple.com.

Solution

To make the Meraki software work:

Firewall Rules

Ports that need to be open for outgoing traffic:

  • TCP and UDP 2196 for all IPs
  • TCP and UDP 5223 for all IPs
  • TCP and UDP 49321 to 49335 for all IPs
  • TCP 443 to 17.0.0.0/8
  • TCP 80 to 17.0.0.0/8

Guardian Policies

  1. Go to Web proxy » Web proxy » Automatic configuration
  2. Add the following to the built-in exceptions:
    • push.apple.com
    • 17.0.0.0/8
  3. Add the following to Guardian > Web filter > Exceptions > Manage destination exceptions:
    • 17.0.0.0/8
  4. Add the following categories to Web proxy > Authentication > Exceptions:
    • iTunes
    • SSL / CRL
  5. Create a whitelist web filter policy for the iTunes category.
  6. Create a whitelist web filter policy for the SSL / CRL category.
  7. Move both policies to the top of the Web filter policies table.

Note: You may also need to do the above for the meraki.com domain.

Attribution:

Last updated: Author: Contributions by:
30 August 2016   DMT