Supporting Apple Push Notification Service (APNs) Over HTTP/2

The Apple Push Notification service (APNs) no longer supports the legacy binary protocol as of March 2021 per the APNs provider API deadline update from Apple. Beginning with Jamf Pro 10.28.0, HTTP/2 is the default protocol for connections to APNs. This means that all mobile device management (MDM) communication, such as remote commands, configuration profiles, applications, and push notifications, is handled by the HTTP/2 protocol.

HTTP/2 Protocol Ports

Previously, APNs communication used a binary protocol over ports 2195 and 2196. The HTTP/2 protocol uses port 443 by default. For the Jamf Pro on-premise environment, there is an optional setting to enable communication on port 2197. Use this port to allow APNs traffic through the firewall but to block other HTTPS traffic.

Enabling the HTTP/2 Protocol in Jamf Pro

In on-premise environments, Jamf Pro 10.23.0 or later allows you to enable or disable communication with APNs via HTTP/2. Beginning with Jamf Pro 10.28.0, if you want to continue to use the binary protocol, you must explicitly change the MDM Push Notification Certificate settings. To ensure your existing Jamf Pro server infrastructure will communicate over HTTP/2 after the change, it is recommended to test the communication after making changes to this setting.

Note:

The HTTP/2 protocol is enabled automatically for all cloud-hosted environments and you cannot change this setting. To view the protocol that is used for connections with APNs, navigate to Settings > Push Certificates > MDM Push Notification Certificate.

  1. In Jamf Pro, navigate to Settings > Push Certificates > MDM Push Notification Certificate.
  2. Click Edit.
  3. Select the protocol you want to use for connections with APNs.
  4. (Optional) Select the port.
  5. Test the connection.
  6. When the test is successful, click Save.
  7. Restart Tomcat.

Troubleshooting Communication with APNs Over HTTP/2

Symptom/ErrorExplanationResolution

"Connection Failed. Could not connect to the APNs server. The server is down or network is unreachable."

Connection rejected: APNs server down, no network connection, firewall misconfigured, wrong host or ports.Try again later.

"Connection Failed. Push certificate is missing."

Push was unsuccessful due to a missing certificate.Navigate to Global Management > Push Certificates and review the settings.

"Connection Failed. Push certificate is not correctly configured."

Push was unsuccessful due to a misconfigured certificate.Navigate to Global Management > Push Certificates and review the settings.

"Push failed for the unmanaged device % because the token is missing. Values for APN Token and Push Magic cannot be blank."

Push for the unmanaged computer or device was unsuccessful.Remove the unmanaged computer or device from Jamf Pro or re-enroll.

"Bad request. Incorrect values configured or information missing."

Push request was not correctly configured.Try again later.

"Certificate used for the APNs server connection is incorrect."

There was an error with the certificate or with the provider authentication token.Try again later.

"Device token is not active for the specified topic."

The computer or device is not registered.Re-enroll the computer of device.

"Push using revoked certificate."

Push certificate is revoked.Navigate to Global Management > Push Certificates and renew the certificate.

"Too many requests."

Too many requests for the same device token were sent to APNs.Try again later.

"The APNs server error or service is not responding."

Try again later.