Skip to main content

Apple Push Notification Service

What

  • Like to know a new message has been sent?
  • Want to see how many messages are unread from the Home Screen, per App?

APNs is the Apple service FileWave uses to wake Apple devices for MDM/DDM check-ins. The device still contacts the FileWave server for the actual management commands; APNs only delivers the wake-up notification.

Push notifications allow apps to notify users with alerts, sounds, badges, or silent updates. Users control which notifications are visible or silenced in Settings.

Developers of apps that use APNs register their app with Apple and integrate the APNs token into their app server.

FileWave administrators generate the APNs token as part of the Apple MDM setup covered in the related certificate articles.

For APNs to work, the app and third-party server must trust Apple’s APNs service. Their trust stores must include the current Apple APNs root certificate.

APNs Certificate Update:

At times the Root Certificate used by APNs will require replacing, prior to expiry.

APNs Cert

Service

Up to Date

From Date

Expiry Date

AAA Certificate Services root certificate


Sandbox

Jan 2025

-

Dec 31 23:59:59 2028 GMT


Production

Feb 2025

-

SHA-2 Root : USERTrust RSA Certification Authority certificate

Sandbox

-

Jan 2025

Jan 18 23:59:59 2038 GMT

 

Production

-

Feb 2025

Apple will supply information when this occurs, ensuring developers of Apps and providers of 3rd party servers update their products.

FileWave Server already includes both of the above listed certificates within its Trust Store.

Third-party apps

Installing an app that requires APNs registers that app with APNs, and the device receives a unique device token for that app.

Messages pushed can include:

  • Display Alert Message to User
  • Apply Badge Icon to App’s Icon
  • Play a Sound
  • Deliver Notification Silently

Both Message and Unique Device Token are sent by the App’s Server when attempting to initiate a notification.

Notifications are relayed through Apple’s APNs service. When the device receives the notification, it acts according to the payload, such as displaying a message to the user.

In essence, the message payload therefore consists of:

  • APS Dictionary: Message content
  • Alert Keys: Assist notification processing, e.g. an identifier to a particular conversation of a messaging app.
  • Device ID: Unique Device Token

The App should contain the current APNs Root Certificate within its Trust Store

MDM/DDM

MDM and DDM communication also rely on APNs, with a few important differences from user-facing app notifications:

  • The act of enrolment is equivalent to installing the App, initiating the receipt of the Unique Device Token.
  • The App in question is a binary, included in the Operating System by Apple: '/usr/libexec/mdmclient'.
  • APS dictionary should not be included in the payload from an MDM server.

MDM APNs messages are only a request for the device to contact the MDM server. Commands are sent directly between the device and the MDM server after the device checks in.

Since Apple are the developers of the 'mdmclient', Apple manage its Trust Store.  Apple’s list of supported Root Certificates per OS version are available from their KB:

https://support.apple.com/en-gb/103272