Upcoming changes to Apple Push Notification Service (APNs) protocol
What is APNs?
Apple Push Notification service, or APNs, is a service provided by Apple that allows third party servers to send ‘push notifications’ to Apple devices (macOS, iOS and tvOS).
These third party servers include:
- Mobile Device Management (MDM) servers, such as Jamf Pro
- Application servers, such as Twitter, FaceBook etc
With regards to MDM servers, APNs is used for a number of reasons:
- Installing/removing configuration profiles
- Installing/removing applications via the App Store
- Issuing device commands (e.g. Lock, Wipe etc)
- General communication between Apple devices and the MDM server
What is changing?
The upcoming changes only affect communication between the server and APNs hosted by Apple. This does not affect communication to client devices.
When Apple first introduced APNs in 2009, they used what was known as the ‘binary protocol’.
The communication between the server and APNs was over ports 2195 and 2196 to gateway.push.apple.com.
In 2018, Apple introduced a new version of APNs that was HTTP/2 based. It also offered a number of new advantages. As well as running over port 443, it used json as the payload and supported a larger payload size.
This new version connects to api.push.apple.com.
When this new version was introduced, Apple marked the binary protocol as legacy and informed developers and MDM providers they should start migrating to the new protocol.
We now have a confirmed cut off date.
When is the change happening?
Apple has confirmed, as of March 31, 2021, APNs will no longer support the legacy binary protocol. After this date, any server still using the binary protocol will no longer function with APNs.
Who does it affect?
In relation to MDM vendors, here is a breakdown of who it may and may not affect:
dataJAR will be migrating all customers to the new protocol automatically as part of our standard maintenance procedures. This change will be completely transparent to our customers and they do not need to do anything.
If your Jamf Pro server is hosted in Jamf Cloud, here is what you need to know:
- If your Jamf Pro instance has been updated to version 10.23+, then your instance has been moved to the new http/2 protocol.
- If your instance is still on a version below v10.23, then you need to contact Jamf ASAP and ask them to update it to at least v10.23. Once updated, the new HTTP/2 protocol will be enabled. Failure to update before March 31, 2021 will result in loss of communication with APNs. Your devices will no longer be manageable.
Self hosted Jamf Pro
Depending on the version of Jamf Pro, these are the actions you need to take:
- First you must make sure you are running at least v10.23+
- If you upgrade to the upcoming v10.28, this upgrade will automatically enable HTTP/2
- If you are running v10.23 – v10.27 then you can manually enable:
- In Jamf Pro, navigate to Settings > Push Certificates > MDM Push Notification Certificate.
- Select the HTTP/2 protocol and port 443
- Test the connection by clicking the Test button
- Restart Tomcat
- If you are running a version prior to v10.23:
- Upgrade to version v10.27 and manually enable HTTP/2 as outlined above
- Or wait and upgrade to v10.28 which will automatically enable HTTP/2