Apple push notifications don't work in Meraki mobile device management

Article #: Product Castle
1783 Guardian All


Apple Push notifications in Meraki Mobile Device Management Software do not work


This software does not fully support the use of a proxy; you will need to add some domains and IPs to Guardian.

The issue is not with the Meraki software, but rather with Apple push notifications:

  • The applepushserviced first does a DNS TXT query for[ nslookup -query=txt]
  • This will return count=50 or some other number (n). The daemon then creates a name using a number between 1...n and creates DNS name
  • This DNS name is then handled by Akamai DNS to return an IP address in the 17.nnetblock that belongs to Apple.

The Smoothwall is seeing in the URL request: not, for example, The certificate presented by does not have a wildcard certificate and the certificate says it's only valid for


To make the Meraki software work:

Firewall Rules

Ports that need to be open for outgoing traffic:

  • TCP and UDP 2196 for all IPs
  • TCP and UDP 5223 for all IPs
  • TCP and UDP 49321 to 49335 for all IPs
  • TCP 443 to
  • TCP 80 to

Guardian Policies

  1. Go to Web proxy » Web proxy » Automatic configuration
  2. Add the following to the built-in exceptions:
  3. Add the following to Guardian > Web filter > Exceptions > Manage destination exceptions:
  4. Add the following categories to Web proxy > Authentication > Exceptions:
    • iTunes
    • SSL / CRL
  5. Create a whitelist web filter policy for the iTunes category.
  6. Create a whitelist web filter policy for the SSL / CRL category.
  7. Move both policies to the top of the Web filter policies table.

Note: You may also need to do the above for the domain.


Last updated: Author: Contributions by:
30 August 2016   DMT