Unable to connect to APNS from an internal WiFi network


#1

Issue:
MDM enrolment is successful however policy and and application push is not working.

Cause & Resolution:
iOS device cannot reach APNS, however no firewall hits on ports 5223/443 after enrolling a device.
Upon further investigation realised that the DNS server does not have records for x-courier.push.apple.com therefore the device cannot resolve an IP address and gives up on connection.

Apple use DNS for load balancing between APNS servers. (See dig below) The hostname will vary but will be in x-courier.push.apple.com (small integer where x).

; <<>> DiG 9.8.3-P1 <<>> 5-courier.push.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12656
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;5-courier.push.apple.com.	IN	A

;; ANSWER SECTION:
5-courier.push.apple.com. 8313	IN	CNAME	5.courier-push-apple.com.akadns.net.
5.courier-push-apple.com.akadns.net. 60	IN CNAME pop-apac-aus-courier.push-apple.com.akadns.net.
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.43
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.44
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.51
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.34
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.28
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.25
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.46
pop-apac-aus-courier.push-apple.com.akadns.net.	9 IN A 17.252.252.36

;; Query time: 111 msec
;; SERVER: 192.168.11.11#53(192.168.11.11)
;; WHEN: Tue Aug  9 17:46:10 2016
;; MSG SIZE  rcvd: 265

Reference:
https://developer.apple.com/library/ios/technotes/tn2265/_index.html