Summary
Apple Push notifications in Meraki Mobile Device Management Software do not work.
Problem
This software does not fully support the use of a proxy; you will need to add some domains and IPs to Guardian.
The issue is not with the Meraki software, but rather with Apple push notifications:
- The
applepushserviced
first does aDNS TXT
query forpush.apple.com
[ nslookup -query=txt push.apple.com]
- This will return
count=50
or some other number (n
). The daemon then creates a name using a number between 1...n
and creates DNS namen-courier.push.apple.com
. - This DNS name is then handled by Akamai DNS to return an IP address in the
17.n
netblock that belongs to Apple.
The Smoothwall is seeing in the URL request: courier.push.apple.com
not, for example, 34-courier.push.apple.com
. The certificate presented by https://34-courier.push.apple.com
does not have a wildcard certificate and the certificate says it's only valid for courier.push.apple.com
.
Solution
To make the Meraki software work:
Firewall Rules
Ports that need to be open for outgoing traffic:
- TCP and UDP
2196
for all IPs - TCP and UDP
5223
for all IPs - TCP and UDP
49321
to49335
for all IPs - TCP
443
to17.0.0.0/8
- TCP
80
to17.0.0.0/8
Guardian Policies
- On the WEB PROXY menu, under the Web proxy submenu, click Automatic configuration. See our help topic, Configuring the web proxy with proxy auto-config (PAC) scripts.
- Add the following to the built-in exceptions:
push.apple.com
17.0.0.0/8
- On the GUARDIAN menu, under the Web filter submenu, click Exceptions. See our help topic, Exempting devices from web filtering.
- Under the Manage destination exceptions section add:
17.0.0.0/8
- On the WEB PROXY menu, under the Authentication submenu, click Exceptions. See our help topic, Creating authentication exceptions.
- Under the Manage exceptions section add:
- iTunes
- SSL / CRL
- Create an Allow web filter policy for the iTunes and the SSL / CRL categories. See Creating web filter policies.
- Move both policies to the top of the Web filter policies table.
Note: You may also need to do the above for the meraki.com
domain.