Apple Push Notification Service (APNS) Changes Impacting SOTI MobiControl Customers

Apple Push Notification Service (APNS) Changes Impacting SOTI MobiControl Customers

Apple currently provides two endpoints for the Apple Push Notification Service (APNS): the original APNS endpoint based on a binary TCP protocol (hereafter referred to as “legacy APNS”) and a newer APNS endpoint based on the HTTP/2 communication protocol (hereafter “modern APNS”).

On November 1st, 2020, Apple will discontinue the legacy APNS in favor of the modern APNS. All versions of SOTI MobiControl released to date have leveraged the legacy APNS.  The discontinuation of the legacy APNS means that this change by Apple will impact all customers using SOTI MobiControl to manage their Apple devices.

As of November 1, 2020, customers will no longer be able to manage existing iOS & macOS devices or enroll new ones without upgrading their version of MobiControl.

SOTI will issue Maintenance Releases for SOTI MobiControl v14 and v15 in order to support the modern APNS and avoid any service disruption.  SOTI MobiControl v15.2 and higher will support the modern APNS and will not be affected when they are released.

Recommended course of action for affected customers

  • Customers running SOTI MobiControl 14.4.9 or lower should upgrade to 14.5.1 or higher.
  • Customers running SOTI MobiControl 15.0.x or 15.1 should upgrade to 15.1.1 or higher.
  • Customers running SOTI MobiControl 15.2 or higher do not need to take any action.

New Minimum System Requirements

The modern APNS is based on the HTTP/2 protocol.  Support for this protocol is available on Windows Server 2016 and higher. This means that MobiControl v14.5.1+ and v15.1.1+ will minimally require Windows Server 2016.

Customers running SOTI MobiControl on older versions of Windows Server will need to upgrade their servers to Windows Server 2016 or higher before upgrading their instance of SOTI MobiControl.

For a complete list of system requirements of SOTI MobiControl, please consult the MobiControl v14.5 System Requirements or MobiControl v15.1 System Requirements.

New Security Requirements

The modern APNS requires one the following modern TLS cipher suites to be enabled on the server hosting the SOTI MobiControl instance:

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The best practices option in the IIS Crypto tool is the easiest way to enable the necessary TLS cipher suites. Furthermore, the list of TLS cipher suites enabled on the server can be retrieved using the Get-TlsCipherSuite PowerShell command.

New Runtime Libraries

To support modern APNS, SOTI MobiControl leverages modern Microsoft frameworks.  Therefore, SOTI MobiControl v14.5.1+ and v15.1.1+ will require runtime libraries for .NET Core 3.1 or higher to be installed on the server.

New Firewall Rules

The host of the modern APNS is different than that of the legacy APNS.  Customers using firewall rules to protect their network must add the following rule to allow SOTI MobiControl to communicate with the modern APNS:

Direction: Outbound
Type: TCP
Host: api.push.apple.com
Port: 443

Procedure to Upgrade SOTI MobiControl

Cloud customers should contact SOTI Support @ support@soti.net  *(A minimum of 48 hours' notice is required to schedule the upgrade)

On-premise customers should consult this page for information on how to proceed with the upgrade. Customers requiring assistance with the upgrade process can leverage SOTI's Professional Services by contacting SOTI Sales Team at sales@soti.net.

 

If you have questions about this, please contact SOTI Support for assistance.

  • 3297 Views
  • 2 Favourites

Give us your feedback
Give us your feedback
Feedback