Apple Push Notification service (APNs) is the MDM protocol created by Apple to manage their devices. It requires the MDM provider to have a valid APNs certificate configured and routes all commands through Apple's central cloud messaging servers.

Initiating an APNs command leads to the following:

  • When an iOS device is enrolled, an APNs token is generated that is connected to a specific device. The generated token is known to both Workspace ONE UEM console and the APNs servers.
  • Once enrolled, a device always (connectivity permitting) exhibits an active connection to Apple's APNs servers.
  • When a command is initiated in the UEM console (such as a profile push or a device lock command), the following steps occur:
    • An entry is stored in the Device Command Queue in the UEM database. The entry contains a specific ID attached to the type of command initiated.
    • The UEM server (either console or device services depending on where the command initiated), reaches out to the APNs servers with the APNs token tied to that specific device.
  • The APNs server validates the token and informs the device to connect to the MDM server to receive a command.
  • The device connects to the device services server. Upon establishing this connection, the device receives all pending commands from the Device Command Queue.

Apple Push Notification Service (APNs) Certificate

To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. An APNs certificate allows the UEM console to communicate securely to Apple devices and report information back to the UEM console.

Per Apple's Enterprise Developer Program, an APNs certificate is valid for one year and then must be renewed. The UEM console sends reminders through Notifications as the expiration date nears. Your current certificate is revoked when you renew from the Apple Development Portal, which prevents device management until you upload the new one. Plan to upload your certificate immediately after it is renewed. Consider using a different certificate for each environment if you use separate production and test environments.

Apple Push Notification Service Workflow

Understand the backend workflow of the Apple Push Notification Service before initiating the MDM management on Apple devices.

  1. System Administrator remotely performs MDM actions such as lock device, clear device passcode, device wipe, and break MDM from the UEM console.

    A notification will be queued in FastLaneAPNsOutBound queue which is picked up by Workspace ONE Messaging Service and sent to APNs server. Later, a command is queued in AWEventLog queue and then picked up by EntityChangeQueueMonitor service. This service queues the command in Workspace ONE Database server.

  2. The device always has an active connection to APNs. All communication to APNs is inbound and is constantly checking with APNs. The servers let the device know when there's a command waiting for the device by MDM.

  3. Once the device receives the push notification, it checks-in to the Workspace ONE device services server.

  4. Device services server checks whether any command is queued for that particular device (based on DeviceID) in the Workspace ONE database server.

  5. Device services server pulls the command which is already queued for that device from the Workspace ONE database server.

  6. Device services generates an XML and sends it to the device. Native MDM Agent (MDM profile installed on device) then performs required action on the device.

check-circle-line exclamation-circle-line close-line
Scroll to top icon