How does the Profile Manager send Clear Passcode command get to the iDevice?

P.Turpie asked:

We use Apple’s Profile Manager MDM.
Occasionally a user will forget the passcode to unlock their iPad. We should be able to user Profile Manager to clear their passcode. However, I’ve noticed that “Class Passcode” tasks never seem to complete even though the iPad has a WiFi connection.

So what I’d like to know is how the “Clear Passcode” command gets to the iPad. Is it from our local server (LAN)? Or is it from Apples push notification servers (WAN)?

Why does it matter?
We use the CyberHound(NetBox Blue) firewall/proxy. Access to the internet goes through a transparent proxy, and requires frequent authentication through a captive portal.
If the message comes from Apple’s servers then I would need to setup an authentication bypass rule, as messages wont get through until the iPad is authenticated and a locked iPad will never show the captive portal login page.

My answer:

All MDM traffic goes over the Apple Push Notification Service.

In particular, to get iOS devices (and Macs!) to be able to receive from APN, they must be able to make outgoing connections to TCP port 5223. You can allow outgoing traffic for this destination port to pass without being redirected to the captive portal, and then iOS devices should be able to reach APN and receive your commands.

See also:

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.