Apple Push Notification Service

What

APNs is the Apple service FileWave uses to wake Apple devices for MDM/DDM check-ins. The device still contacts the FileWave server for the actual management commands; APNs only delivers the wake-up notification.

Push notifications allow apps to notify users with alerts, sounds, badges, or silent updates. Users control which notifications are visible or silenced in Settings.

Developers of apps that use APNs register their app with Apple and integrate the APNs token into their app server.

FileWave administrators generate the APNs token as part of the Apple MDM setup covered in the related certificate articles.

For APNs to work, the app and third-party server must trust Apple’s APNs service. Their trust stores must include the current Apple APNs root certificate.

APNs Certificate Update:

At times the Root Certificate used by APNs will require replacing, prior to expiry.

APNs Cert

Service

Up to Date

From Date

Expiry Date

AAA Certificate Services root certificate


Sandbox

Jan 2025

-

Dec 31 23:59:59 2028 GMT


Production

Feb 2025

-

SHA-2 Root : USERTrust RSA Certification Authority certificate

Sandbox

-

Jan 2025

Jan 18 23:59:59 2038 GMT

 

Production

-

Feb 2025

Apple will supply information when this occurs, ensuring developers of Apps and providers of 3rd party servers update their products.

FileWave Server already includes both of the above listed certificates within its Trust Store.

Third-party apps

Installing an app that requires APNs registers that app with APNs, and the device receives a unique device token for that app.

Messages pushed can include:

Both Message and Unique Device Token are sent by the App’s Server when attempting to initiate a notification.

Notifications are relayed through Apple’s APNs service. When the device receives the notification, it acts according to the payload, such as displaying a message to the user.

In essence, the message payload therefore consists of:

The App should contain the current APNs Root Certificate within its Trust Store

MDM/DDM

MDM and DDM communication also rely on APNs, with a few important differences from user-facing app notifications:

MDM APNs messages are only a request for the device to contact the MDM server. Commands are sent directly between the device and the MDM server after the device checks in.

Since Apple are the developers of the 'mdmclient', Apple manage its Trust Store.  Apple’s list of supported Root Certificates per OS version are available from their KB:

https://support.apple.com/en-gb/103272


Revision #4
Created 2024-12-10 13:28:41 UTC by Sean Holden
Updated 2026-06-25 13:40:07 UTC by Josh Levitsky