Apple push notifications don't work in Meraki mobile device management

Article #:







Apple Push notifications in Meraki Mobile Device Management Software do not work


This software does not fully support the use of a proxy; you will need to add some domains and IPs to Guardian.

The issue is not with the Meraki software, but rather with Apple push notifications:

The applepushserviced first does a DNS TXT query for[ nslookup -query=txt]
This will return count=50 or some other number (n). The daemon then creates a name using a number between 1...n and creates DNS name
This DNS name is then handled by Akamai DNS to return an IP address in the 17.n netblock that belongs to Apple.

The Smoothwall is seeing in the URL request: not, for example, The certificate presented by does not have a wildcard certificate and the certificate says it's only valid for


To make the Meraki software work:

Firewall Rules

Ports that need to be open for outgoing traffic:

  • TCP and UDP 2196 for all IPs
  • TCP and UDP 5223 for all IPs
  • TCP and UDP 49321 to 49335 for all IPs
  • TCP 443 to
  • TCP 80 to

Guardian Policies

  1. Go to Web proxy » Web proxy » Automatic configuration
  2. Add the following to the built-in exceptions:
  1. Add the following to Guardian > Web filter > Exceptions > Manage destination exceptions:
  1. Add the following categories to Web proxy > Authentication > Exceptions:
  1. Create a whitelist web filter policy for the iTunes category.
  2. Create a whitelist web filter policy for the SSL / CRL category.
  3. Move both policies to the top of the Web filter policies table.

Note: You may also need to do the above for the domain.


Last updated:


Contributions by:

30 August 2016




Copyright © 2000-2018 Smoothwall All rights reserved.