Push Ios Apps With Mac Server

Push ios apps with mac server download

APNs Overview

Apple Push Notification service (APNs) is the centerpiece of the remote notifications feature. It is a robust, secure, and highly efficient service for app developers to propagate information to iOS (and, indirectly, watchOS), tvOS, and macOS devices.

On initial launch of your app on a user’s device, the system automatically establishes an accredited, encrypted, and persistent IP connection between your app and APNs. This connection allows your app to perform setup to enable it to receive notifications, as explained in Configuring Remote Notification Support.

Automatically syncs users’ G Suite email, calendars, and contacts with the corresponding native iOS apps that are on their device. Check Push Google Account configuration to: Sync G Suite emails with the Apple Mail app. Sync G Suite calendar events with the Apple Calendar app.

  • Features for iOS and macOS. MacOS Server lets you assign Volume Purchase Program (VPP) apps to devices — instead of a user’s Apple ID. This allows for the installation of VPP apps on iOS devices and Mac computers without configuring an Apple ID or sending an invitation.
  • Jul 08, 2020  How to push/send message to iOS and Android in real time. We can use the AWS SNS push notification service to send an alert directly to an application on a mobile device. However, today I am going to use straightforward app service called Pushover.It is a simple app to get real-time notifications on Android, iPhone, iPad, and Desktop, including Android Wear and Apple Watch.

The other half of the connection for sending notifications—the persistent, secure channel between a provider server and APNs—requires configuration in your online developer account and the use of Apple-supplied cryptographic certificates. A provider is a server, that you deploy and manage, that you configure to work with APNs. Figure 6-1 shows the path of delivery for a remote notification.

With push notification setup complete on your providers and in your app, your providers can then send notification requests to APNs. APNs conveys corresponding notification payloads to each targeted device. On receipt of a notification, the system delivers the payload to the appropriate app on the device, and manages interactions with the user.

If a notification for your app arrives with the device powered on but with the app not running, the system can still display the notification. If the device is powered off when APNs sends a notification, APNs holds on to the notification and tries again later (for details, see Quality of Service, Store-and-Forward, and Coalesced Notifications).

Provider Responsibilities

Your provider servers have the following responsibilities for participating with APNs:

  • Receiving, via APNs, globally-unique, app-specific device tokens and other relevant data from instances of your app on user devices. This allows a provider to know about each running instance your app.

  • Determining, according to the design of your notification system, when remote notifications need to be sent to each device.

  • Building and sending notification requests to APNs, each request containing a notification payload and delivery information; APNs then delivers corresponding notifications to the intended devices on your behalf.

For each remote notification request a provider sends, it must:

  1. Construct a JSON dictionary containing the notification’s payload, as described in Creating the Remote Notification Payload.

  2. Add the payload, a globally-unique device token, and other delivery information to an HTTP/2 request. For information about device tokens, see APNs-to-Device Connection Trust and Device Tokens. For information about the HTTP/2 request format, and the possible responses and errors from APNs, see Communicating with APNs.

  3. Send the HTTP/2 request to APNs, including cryptographic credentials in the form of a token or a certificate, over a persistent, secure channel. Establishing this secure channel is described in Security Architecture.

Using Multiple Providers

Figure 6-2 depicts the sort of virtual network that APNs enables for the devices running your apps. To handle the notification load, you would typically deploy multiple providers, each one with its own persistent and secure connection to APNs. Each provider can then send notification requests targeting any device for which the provider has a valid device token.

Quality of Service, Store-and-Forward, and Coalesced Notifications

Apple Push Notification service includes a Quality of Service (QoS) component that performs a store-and-forward function. If APNs attempts to deliver a notification and the destination device is offline, APNs stores the notification for a limited period of time and delivers it when the device becomes available again. This component stores only the most recent notification per device and per app. If a device is offline, sending a notification request targeting that device causes the previous request to be discarded. If a device remains offline for a long time, all its stored notifications in APNs are discarded.

To allow the coalescing of similar notifications, you can include a collapse identifier within a notification request. Normally, when a device is online, each notification request that you send to APNs results in a notification delivered to the device. However, when the apns-collapse-id key is present in your HTTP/2 request header, APNs coalesces requests whose value for that key is the same. For example, a news service that sends the same headline twice could use the same collapse identifier value for both requests. APNs would then coalesce the two requests into a single notification for delivery to the device. For details on the apns-collapse-id key, see Table 8-2.

Security Architecture

APNs enforces end-to-end, cryptographic validation and authentication using two levels of trust: connection trust and device token trust.

Connection trust works between providers and APNs, and between APNs and devices.

  • Provider-to-APNs connection trust establishes certainty that connection between a provider and APNs is possible only for an authorized provider, owned by a company that has an agreement with Apple for push notification delivery. You must take steps to ensure connection trust exists between your provider servers and APNs, as described in this section.

  • APNs-to-device connection trust ensures that only authorized devices can connect to APNs to receive notifications. APNs automatically enforces connection trust with each device to ensure the legitimacy of the device.

For a provider to communicate with APNs, it must employ a valid authentication key certificate (for token-based connection trust) or SSL certificate (for certificate-based connection trust). You obtain either of these certificates from your online developer account, as explained in “Configure push notifications” in Xcode Help. To choose between the two certificate types, read Provider-to-APNs Connection Trust. Whichever certificate type you choose, provider connection trust is prerequisite to a provider sending push notification requests to APNs.

Device token trust works end-to-end for each remote notification. It ensures that notifications are routed only between the correct start (provider) and end (device) points.

A device token is an opaque NSData instance that contains a unique identifier assigned by Apple to a specific app on a specific device. Only APNs can decode and read the contents of a device token. Each app instance receives its unique device token when it registers with APNs, and must then forward the token to its provider, as described in Configuring Remote Notification Support. The provider must include the device token in each push notification request that targets the associated device; APNs uses the device token to ensure the notification is delivered only to the unique app-device combination for which it is intended.

APNs can issue a new device token for a variety of reasons:

  • User installs your app on a new device

  • User restores device from a backup

  • User reinstalls the operating system

  • Other system-defined events

As a result, apps must request the device token at launch time, as described in APNs-to-Device Connection Trust and Device Tokens. For code examples, see Registering to Receive Remote Notifications.

Important

To protect user privacy, do not use device tokens to identify user devices.

Provider-to-APNs Connection Trust

There are two schemes available for negotiating connection trust between your provider servers and Apple Push Notification service:

  • Token-based provider connection trust: A provider using the HTTP/2-based API can use JSON web tokens (JWT) to provide validation credentials for connection with APNs. In this scheme, you provision a public key to be retained by Apple, and a private key which you retain and protect. Your providers then use your private key to generate and sign JWT provider authentication tokens. Each of your push notification requests must include a provider authentication token.

    You can use a single, token-based connection between a provider and APNs can to send push notification requests to all the apps whose bundle IDs are listed in your online developer account.

    Every push notification request results in an HTTP/2 response from APNs, returning details on success or failure to your provider.

  • Certificate-based provider connection trust: A provider can, alternatively, employ a unique provider certificate and private cryptographic key. The provider certificate, provisioned by Apple when you establish your push service in your online developer account, identifies one topic, which is the bundle ID for one of your apps. Is it necessary to buy antivirus software for mac.

    You can use a certificate-based connection between a provider and APNs to send push notification requests to exactly one app, which you specify when configuring the certificate in your online developer account.

Important

To establish HTTP/2-based TLS sessions with APNs, you must ensure that a GeoTrust Global CA root certificate is installed on each of your providers. If a provider is running macOS, this root certificate is in the keychain by default. On other systems, this certificate might require explicit installation. You can download this certificate from the GeoTrust Root Certificates website. Here is a direct link to the certificate.

If you are instead using the legacy binary interface to APNs, you must ensure that each of your providers has an Entrust Certification Authority (2048) root certificate, available from the Entrust SSL Certificates website.

Token-Based Provider-to-APNs Trust

Token-based provider trust employs a certificate of type “Apple Push Notification Authentication Key (Sandbox & Production).” You configure and obtain this certificate using your online developer account, as explained in “Generate a universal provider token signing key” in Xcode Help. This certificate has the following characteristics:

  • The one certificate is valid for sending push notification requests for every app associated with your account.

    The certificate is also valid for connections to Apple Watch complications for your apps, and for voice-over-Internet Protocol (VoIP) status notifications for your apps. APNs delivers these notifications even when those items are running in the background. See APNs Provider Certificates for details, and see Voice Over IP (VoIP) Best Practices in Energy Efficiency Guide for iOS Apps.

  • When you send a push notification request over a JWT token-based APNs connection, you must include your provider authentication token.

  • The APNs authentication key certificate never expires, but you can revoke it permanently using your online developer account; once revoked, the certificate can never be used again

Figure 6-3 illustrates using the HTTP/2-based APNs provider API to establish trust, and using JWT provider authentication tokens for sending notifications.

As shown in Figure 6-3, token-based provider trust works as follows:

  1. Your provider asks for a secure connection with APNs using transport layer security (TLS), represented as the arrow labeled “TLS initiation” in the figure.

  2. APNs then gives your provider an APNs certificate, represented by the next arrow in the figure (labeled “APNs certificate”), which your provider then validates.

    At this point, connection trust is established and your provider server is enabled to send token-based remote push notification requests to APNs.

  3. Each notification request that your provider sends must be accompanied by a JWT authentication token, represented in the figure as the arrow labeled “Notification push.”

  4. APNs replies to each push, represented in the figure as the arrow labeled “HTTP/2 response.”

    For specifics on the responses your provider can receive for this step, see HTTP/2 Response from APNs.

Certificate-Based Provider-to-APNs Trust

A certificate-based provider connection is valid for delivery to one specific app, identified by the topic (the app bundle ID) specified in the provider certificate (which you must have previously created, as explained in “Generate a universal APNs client SSL certificate” in Xcode Help). Depending on how you configure and provision the certificate, the trusted connection can also be valid for delivery of remote notifications to other items associated with your app, including Apple Watch complications for your apps, and for voice-over-Internet Protocol (VoIP) status notifications for your apps. APNs delivers these notifications even when those items are running in the background. See Communicating with APNs for details, and see Voice Over IP (VoIP) Best Practices in Energy Efficiency Guide for iOS Apps.

With certificate-based trust, APNs maintains a certificate revocation list; if a provider’s certificate is on the revocation list, APNs can revoke provider trust (that is, APNs can refuse the TLS initiation connection).

Figure 6-4 illustrates the use of an Apple-issued SSL certificate to establish trust between a provider and APNs. Unlike Figure 6-3, this figure does not show a notification push itself, but stops at the establishment of a Transport Layer Security (TLS) connection. In the certificate-based trust scheme, push notification requests are not authenticated but they are validated using the accompanying device token.

As shown in Figure 6-4, certificate-based provider-to-APNs trust works as follows:

  1. Your provider asks for a secure connection with APNs using transport layer security (TLS), represented as the arrow labeled “TLS initiation” in the figure.

  2. APNs then gives your provider an APNs certificate, represented by the next arrow in the figure (labeled “APNs certificate”), which your provider then validates.

  3. Your provider must then send its Apple-provisioned provider certificate (which you have previously obtained from your online developer account, as explained in “Generate a universal APNs client SSL certificate” in Xcode Help) back to APNs, represented as the arrow labeled “Provider certificate.”

  4. APNs then validates your provider certificate, thereby confirming that the connection request originated from a legitimate provider, and establishes your TLS connection.

    At this point, connection trust is established and your provider server is enabled to send certificate-based remote push notification requests to APNs.

APNs-to-Device Connection Trust and Device Tokens

Trust between APNs and each device is established automatically, without participation by your app, as described in this section.

Each device has a cryptographic certificate and a private cryptographic key, provided by the operating system at initial device activation and stored in the device’s keychain. During activation, APNs authenticates and validates the connection to the device, based on the certificate and key, as shown in Figure 6-5.

As shown in Figure 6-5, APNs-to-device trust works as follows:

  1. Trust negotiation begins when the device initiates a TLS connection with APNs, as shown in the top arrow in the figure.

  2. APNs returns an APNs certificate to the device.

  3. The operating system validates this certificate and then, as shown in the “Device certificate” arrow, sends the device certificate to APNs.

  4. Finally, as indicated by the bottom arrow in the figure, APNs validates the device certificate, establishing trust.

With a TLS connection established between APNs and the device, apps on the device can register with APNs to receive their app-specific device tokens for remote notifications. For details and code examples, see Registering to Receive Remote Notifications in Configuring Remote Notification Support.

After receiving the device token, an app must connect to the app’s associated provider and forward the token to it. This step is necessary because a provider must include the device token later when it sends a notification request, to APNs, targeting the device. The code you write for forwarding the token is also shown in Registering to Receive Remote Notifications.

Whether a user is activating a device for the first time, or whether APNs has issued a new device token, the process is similar and is shown in Figure 6-6.

Obtaining and handling an app-specific device token works as follows:

  1. Your app registers with APNs for remote notifications, as shown in the top arrow. If the app is already registered and the app-specific device token has not changed, the system quickly returns the existing token to the app and this process skips to step 4.

  2. When a new device token is needed, APNs generates one using information contained in the device’s certificate. It encrypts the token using a token key and returns it to the device, as shown in the middle, right-pointing arrow.

  3. The system delivers the device token back to your app by calling your application:didRegisterForRemoteNotificationsWithDeviceToken: delegate method.

  4. Upon receiving the token, your app (within the delegate method) must forward it to your provider in either binary or hexadecimal format. Your provider cannot send notifications to the device without this token. For details, see Registering to Receive Remote Notifications in Configuring Remote Notification Support.

Important

APNs device tokens are of variable length. Do not hard-code their size.

When your provider sends a push notification request to APNs, it includes a device token that identifies a unique app-device combination. This step is shown in the “Token, Payload” arrow between the provider and APNs in Figure 6-7. APNs decrypts the token to ensure the validity of the request and to determine the target device. If APNs determines that the sender and recipient are legitimate, it then sends the notification to the identified device.

After the device receives the notification (and after the final step shown in Figure 6-7), the system forwards the remote notification to your app.

Apps

Provisioning Procedures

APNs is available to apps distributed through the iOS App Store, tvOS App Store, and Mac App Store, as well as to enterprise apps. Your app must be provisioned and code signed to use APNs. If you are developing as part of a team, most of these configuration steps can be performed only by a team agent or administrator.

For information on how to configure push notification support in Xcode and in your online developer account, read “Configure push notifications” in Xcode Help.

Copyright © 2018 Apple Inc. All rights reserved. Terms of Use Privacy Policy Updated: 2018-06-04

This article is intended for enterprise and education network administrators.

Apple products require access to the Internet hosts in this article for a variety of services. Here's how your devices connect to hosts and work with proxies:

  • Network connections to the hosts below are initiated by the device, not by hosts operated by Apple.
  • Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.

Make sure your Apple devices can access the hosts listed below.

Apple Push Notifications

Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Beginning with macOS 10.15.5, devices can connect to APNs when configured to use the HTTP proxy with a proxy auto-config (PAC) file.

Device setup

Access to the following hosts might be required when setting up your device, or when installing, updating or restoring the operating system.

HostsPortsProtocolOSDescriptionSupports proxies
albert.apple.com443TCPiOS, tvOS, and macOSYes
captive.apple.com443, 80TCPiOS, tvOS, and macOSInternet connectivity validation for networks that use captive portals.Yes
gs.apple.com443TCPiOS, tvOS, and macOSYes
humb.apple.com443TCPiOS, tvOS, and macOSYes
static.ips.apple.com443, 80TCPiOS, tvOS, and macOSYes
tbsc.apple.com443TCPmacOS onlyYes
time-ios.apple.com123UDPiOS and tvOS onlyUsed by devices to set their date and time
time.apple.com123UDPiOS, tvOS, and macOSUsed by devices to set their date and time
time-macos.apple.com123UDPmacOS onlyUsed by devices to set their date and time

Device Management

Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM):

HostsPortsProtocolOSDescriptionSupports proxies
*.push.apple.com443, 80, 5223, 2197TCPiOS, tvOS, and macOSPush notificationsLearn more about APNs and proxies.
gdmf.apple.com443TCPiOS, tvOS, and macOSMDM server to identify which software updates are available to devices that use managed software updates.Yes
deviceenrollment.apple.com443TCPiOS, tvOS, and macOSDEP provisional enrollment.
deviceservices-external.apple.com443TCPiOS, tvOS, and macOS
identity.apple.com443TCPiOS, tvOS, and macOSAPNs certificate request portal.Yes
iprofiles.apple.com443TCPiOS, tvOS, and macOSHosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device EnrollmentYes
mdmenrollment.apple.com443TCPiOS, tvOS, and macOSMDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts.Yes
setup.icloud.com443TCPiOS onlyRequired to log in with a Managed Apple ID on Shared iPad.
vpp.itunes.apple.com443TCPiOS, tvOS, and macOSMDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device.Yes

Software updates

Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.

macOS, iOS, and tvOS

Network access to the following hostnames are required for installing, restoring, and updating macOS, iOS, and tvOS:

Ios Push Notification Server

HostsPortsProtocolOSDescriptionSupports proxies
appldnld.apple.com80TCPiOS onlyiOS updates
gg.apple.com443, 80TCPiOS, tvOS, and macOSiOS, tvOS, and macOS updatesYes
gnf-mdn.apple.com443TCPmacOS onlymacOS updatesYes
gnf-mr.apple.com443TCPmacOS onlymacOS updatesYes
gs.apple.com443, 80TCPmacOS onlymacOS updatesYes
ig.apple.com443TCPmacOS onlymacOS updatesYes
mesu.apple.com443, 80TCPiOS, tvOS, and macOSHosts software update catalogs
ns.itunes.apple.com443TCPiOS onlyYes
oscdn.apple.com443, 80TCPmacOS onlymacOS Recovery
osrecovery.apple.com443, 80TCPmacOS onlymacOS Recovery
skl.apple.com443TCPmacOS onlymacOS updates
swcdn.apple.com80TCPmacOS onlymacOS updates
swdist.apple.com443TCPmacOS onlymacOS updates
swdownload.apple.com443, 80TCPmacOS onlymacOS updatesYes
swpost.apple.com80TCPmacOS onlymacOS updatesYes
swscan.apple.com443TCPmacOS onlymacOS updates
updates-http.cdn-apple.com80TCPiOS, tvOS, and macOS
updates.cdn-apple.com443TCPiOS, tvOS, and macOS
xp.apple.com443TCPiOS, tvOS, and macOSYes

App Store

Access to the following hosts might be required for updating apps:

HostsPortsProtocolOSDescriptionSupports proxies
*.itunes.apple.com443, 80TCPiOS, tvOS, and macOSStore content such as apps, books, and musicYes
*.apps.apple.com443TCPiOS, tvOS, and macOSStore content such as apps, books, and musicYes
*.mzstatic.com443TCPiOS, tvOS, and macOSStore content such as apps, books, and music
itunes.apple.com443, 80TCPiOS, tvOS, and macOSYes
ppq.apple.com443TCPiOS, tvOS, and macOSEnterprise App validation

Content caching

Access to the following host is required for a Mac that uses macOS content caching:

HostsPortsProtocolOSDescriptionSupports proxies
lcdn-registration.apple.com443TCPmacOS onlyContent caching server registrationYes

App notarization

Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow:

HostsPortsProtocolOSDescriptionSupports proxies
17.248.128.0/18443TCPmacOS onlyTicket delivery
17.250.64.0/18443TCPmacOS onlyTicket delivery
17.248.192.0/19443TCPmacOS onlyTicket delivery

Certificate validation

Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts listed above:

Free Mac OS X 10.7 or later; 1GB hard drive space; 8GB RAM (recommended) 2GB GPU Video RAM (when using GPU acceleration) CHANGES IN THIS BUILD. Updated: Camera Browser connection and identification information. Improved: Load times for R3D clips recorded on newer sensors and camera firmware. Fixed: OpenCL compile failures with AMD GPUs on macOS 10.

Ios Push Notification App

HostsPortsProtocolOSDescriptionSupports proxies
crl.apple.com80TCPiOS, tvOS, and macOSCertificate validation
crl.entrust.net80TCPiOS, tvOS, and macOSCertificate validation
crl3.digicert.com80TCPiOS, tvOS, and macOSCertificate validation
crl4.digicert.com80TCPiOS, tvOS, and macOSCertificate validation
ocsp.apple.com80TCPiOS, tvOS, and macOSCertificate validation
ocsp.digicert.com80TCPiOS, tvOS, and macOSCertificate validation
ocsp.entrust.net80TCPiOS, tvOS, and macOSCertificate validation
ocsp.verisign.net80TCPiOS, tvOS, and macOSCertificate validation

Firewalls

If your firewall supports using hostnames, you may be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.

HTTP proxy

Push Ios Apps With Mac Servers

You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.

Ios Apps On Mac Os

  • See a list of TCP and UDP ports used by Apple software products.
  • Find out which ports are used by Profile Manager in macOS Server.
  • Learn about macOS, iOS, and iTunes server host connections and iTunes background processes.
  • Customize the Notarization Workflow.