Apple Push Notification Service
What
- Like to know a new message has been sent?
- Want to see how many messages are unread from the Home Screen, per App?
APNs is the Apple service FileWave uses to wake Apple devices for MDM/DDM check-ins. The device still contacts the FileWave server for the actual management commands; APNs only delivers the wake-up notification.
Push notifications allow apps to notify users with alerts, sounds, badges, or silent updates. Users control which notifications are visible or silenced in Settings.
Developers of apps that use APNs register their app with Apple and integrate the APNs token into their app server.
FileWave administrators generate the APNs token as part of the Apple MDM setup covered in the related certificate articles.
For APNs to work, the app and third-party server must trust Apple’s APNs service. Their trust stores must include the current Apple APNs root certificate.
APNs Certificate Update:
At times the Root Certificate used by APNs will require replacing, prior to expiry.
|
APNs Cert |
Service |
Up to Date |
From Date |
Expiry Date |
|
AAA Certificate Services root certificate |
Sandbox |
Jan 2025 |
- |
Dec 31 23:59:59 2028 GMT |
|
Production |
Feb 2025 |
- |
||
|
SHA-2 Root : USERTrust RSA Certification Authority certificate |
Sandbox |
- |
Jan 2025 |
Jan 18 23:59:59 2038 GMT
|
|
Production |
- |
Feb 2025 |
Apple will supply information when this occurs, ensuring developers of Apps and providers of 3rd party servers update their products.
FileWave Server already includes both of the above listed certificates within its Trust Store.
Third-party apps
Installing an app that requires APNs registers that app with APNs, and the device receives a unique device token for that app.
Messages pushed can include:
- Display Alert Message to User
- Apply Badge Icon to App’s Icon
- Play a Sound
- Deliver Notification Silently
Both Message and Unique Device Token are sent by the App’s Server when attempting to initiate a notification.
Notifications are relayed through Apple’s APNs service. When the device receives the notification, it acts according to the payload, such as displaying a message to the user.
In essence, the message payload therefore consists of:
- APS Dictionary: Message content
- Alert Keys: Assist notification processing, e.g. an identifier to a particular conversation of a messaging app.
- Device ID: Unique Device Token
The App should contain the current APNs Root Certificate within its Trust Store
MDM/DDM
MDM and DDM communication also rely on APNs, with a few important differences from user-facing app notifications:
- The act of enrolment is equivalent to installing the App, initiating the receipt of the Unique Device Token.
- The App in question is a binary, included in the Operating System by Apple: '/usr/libexec/mdmclient'.
- APS dictionary should not be included in the payload from an MDM server.
MDM APNs messages are only a request for the device to contact the MDM server. Commands are sent directly between the device and the MDM server after the device checks in.
Since Apple are the developers of the 'mdmclient', Apple manage its Trust Store. Apple’s list of supported Root Certificates per OS version are available from their KB: