In other words Apple's APN server acts as a middle man. The Profile Manager and iPhone are now able to communicate directly and the updated profile is delivered to the iPhone.The iPhone then 'phones home' to the Profile Manager server via port 443.The iPhone will be regularly talking to Apple's APN server and hence Apple's APN knows its address, the iPhone receives a message from the APN server saying 'you need to call home to the Profile Manager server at address xyz'.The Profile Manager needs to send a new profile to an iPhone to do this it tells Apple's APN servers that there is a message for a specific iPhone (Profile Manager has no idea what address to use to reach the iPhone but Apple's APN server does).The way all this works is basically as follows. However if you run a 'split-horizon' domain where internally resolves to the internal private IP address, and externally resolves to one of or only public IP address and you have your router 'port-forward' that to the internal IP address then this will also work. This would normally mean the Profile Manager server needs to have a public IP address rather than a NATed private IP address. Furthermore the DNS name of the Profile Manager server needs to be resolveable on the Internet e.g. Therefore you will need to allow those ports in to the Profile Manager server from any address on the Internet. on an internal WiFi that is part of your internal network and don't go via the FireWall then you would not need to alter anything, however this is extremely unlikely especially as your are using iPhones which almost defacto will spend most of their time outside your network. If your client devices connect internally e.g. Ports 443, 80, and 1640 on your Profile Manager server all need to be reachable by your client devices. Note: Ports 2195, 2916, and 5223 cannot go via a proxy server, not even a SOCKS proxy server. Similarly port 5223 also needs to be allowed out from the Profile Manager server to the same Apple block. I can tell you that I have worked in a Government department and had no problem getting this authorised because it is necessary and true. After this, a locked iPhone or iPad will be able to browse the internet, use the camera in other words, will be able to take photos and make videos, use the Music app and so on. Tell your IT people (the truth) that the entire 17 block is officially registered to Apple. After changing the DNS address, the new request is sent to the iCloud DNS server for authentication. 17.anything and you therefore need to allow to any 17.x.x.x. As you mentioned Apple's servers use an entire 17.0.0.0/8 block i.e.
To make this clearer, ports 21 need to be allowed out from the Profile Manager server to Apple's servers. More specifically to the case of APN, see However on an enterprise network it is often the case that only specific ports out and to specific addresses are opened.įor example, port 80 (http) might only be open in an outgoing direction for traffic from a corporate proxy server and this means all other devices are forced to send their http traffic via the proxy server. Most of the ports that are used only need to be open in an outgoing direction, for a home network routers and firewalls usually allow all ports to be open in an outgoing direction.
0 kommentar(er)
