Apple Push Notification service (APNs): Overview

Rick Cooper

Jan 19, 2022

6 min read

Notification means the act of conveying a message. A push notification is an automated message that pops up when an alert is sent by an app. This message is sent by the server of the app and works even when the app is not open. Now, APNs is slightly different.

What is APNs?

Apple’s Push Notification Service is a cloud platform that enables third-party app developers to send/push alerts to their apps running on Apple devices. APNs give app developers the ability to send unique alert messages, play a sound, provide actions that users can do without opening the app, and more.

After you’ve set up push notifications on your providers and in your app, you’ll be able to send notification requests. Each targeted device receives relevant notification payloads through APNs. When a notification is received, the system sends the payload to the relevant app on the device and controls the user’s interactions.

The app must be correctly set up and registered with the Apple Push Notification Service in order to receive APNs push alerts. The service uses an application programming interface (API) that is built into all iOS and Mac OS X devices to provide alerts. APNs were initially introduced by Apple with iOS 3 for the iPhone in June 2009. Users may manage and see notifications in one location using the Notification Center, which was initially introduced in 2012 with the introduction of iOS 5.


Including a custom action with the notification, provides the user a quick interaction with the app. For example the option to ‘reply’ for a messaging app notification, ‘Browse more products’ for a shopping app etc.


APNs give UEMs a means to communicate with linked Apple devices and transmit messages/notifications. The APNs server functions as a gateway between a UEM server and its linked Apple endpoints, allowing communication between the two. The message is forwarded to the APNs server, which reroutes it to the appropriate device (or a group of devices).
For eg: You have an enterprise app that sends you information about an office update, the app uses APIs to send a text alert to an iPhone. When your app is first launched on a user’s device, the system automatically establishes an IP link with your app and Apple Push Notification Service.

  • IT admins remotely perform actions on the MDM/UEM portal like applying policies, changing wallpaper, relaying a message etc
  • The device maintains a constant connection to APNs. All contact with APNs is regularly checked. When MDM has a command waiting for the device, the servers notify the device.
  • When the device receives its action, it then verifies it with the MDM/UEM console.
  • Device services generate an XML and send it to the device. MDM/UEM then executes the action on the device.
Including a custom action with the notification, provides the user a quick interaction with the app, just like the option to ‘reply’ for a messaging app notification, ‘Browse more products’ for a shopping app etc.

How does APNs work?

When an iOS device is enrolled into a UEM, an APNs token is generated and linked with that device. Both the UEM console and the APNs servers are relayed the information about the created token.

After enrollment, the device has an active connection with Apple’s servers. The UEM server sends a notice via the APNs server to interact with an iOS device. The APNs server will function as a communication gateway for all Apple devices. As a result, the APNs certificate is required to permit a connection between UEM and Apple devices.

The server crosschecks the token and if when the validation is complete, it instructs the device to connect to the UEM server.APNs workflow


Apple push notification service uses two layers of trust to guarantee end-to-end cryptographic validation and authentication: connection trust and device token trust.

Connection trust, as the name suggests is the authentication used to verify each connection that is made. In the case of APNs it verifies the connection between provider and APNs. The second step is to verify the connection between APNs and devices.

Device token trust verifies if the notification is sent by the correct provider and is being received by the correct device. This is made possible by end-to-end encryption.

APNs certificate

When the administrator or the server requests information from the devices, or when Apps or policies are published on the devices, UEM utilizes the certificate to deliver alerts to the Apple devices. Only the alerts are transmitted through the APNs service; no other data is transferred.

We need to create a new certificate and combine it with the UEM server. The certificate issued by Apple is valid for one year from the date of issue. The procedure for renewing a certificate is identical to establishing a new one.

APNs and the device are authenticated automatically when the device is enrolled. Each device is given a cryptographic certificate and a private cryptographic key by the operating system, stored in the device’s keychain. APNs authenticates the connection to the device using the certificate and key.

Provider responsibilities

There are few objectives for provider servers when it comes to APN participation:

  • Receiving unique app-specific device tokens and other necessary data from instances when the app was running.
  • This gives the provider data points from when the app was running, helping them improve the app.
  • Identifying the right moment to push notifications to the device, based on the architecture and working of the app. APNs receives notification requests, where each request has a notification payload and the delivery instructions. This data is then verified and distributed to the specified device.
Featured whitpaper

Apple device management

Apple devices are growing in popularity as enterprise devices, download the whitepaper to know more about Apple device management

Download whitepaper


Since the launch of the APNs back in 2009 with iOS 3, it has served as a safe and reliable push notification service. It helps the IT admins securely push actions to the enrolled device, as it goes through Two-Factor-Authentication before the action is communicated to the device. Hence, making it a crucial tool in MDM/UEM device management.

Secure your Apple ecosystem with Hexnode
Rick Cooper

Product Evangelist @ Hexnode. Millennial by age. Boomer by heart.

Share your thoughts