How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I troubleshoot Push Notification issues on iOS devices using the ForgeRock Authenticator?

Last updated Jun 21, 2021

The purpose of this article is to provide troubleshooting advice for Push Notification issues on iOS devices using the ForgeRock Authenticator app or the ForgeRock Authenticator SDK. This information applies to Identity Cloud and AM users.


Overview

The first thing to do when facing Push Notification issues on an iOS device is to check you are connected to a reliable Wi-Fi or cellular data connection, as a weak connection can delay a push or even prevent you receiving a push. On iOS devices, notifications are sent from Amazon SNS to the Apple Push Notification service (APNs), and then Apple® forwards it to the registered device over mobile data or Wi-Fi networks.

Please see the following items for additional guidance on troubleshooting Push notifications:

If none of the above suggestions help, we recommend that you try re-registering the affected account with the ForgeRock Authenticator app. See User cannot log in using Push authentication in AM (All versions) for further information on doing this in AM.

Check if Notifications are enabled

If no push notifications are received, it is most likely because you selected not to receive notifications when installing the application. The first time a push-enabled app registers for push notifications, iOS asks if you want to receive notifications for that app. Once you select an option, the option is not presented again unless the device is restored or the app has been uninstalled for at least a day.

You can check if Push Notifications are enabled for the ForgeRock Authenticator app as follows:

  1. Navigate to Settings > Notifications on the iOS device.
  2. Scroll down and select ForgeRock:
    • If the Allow Notifications check box is already selected, de-select it and then re-select it.
    • If the Allow Notifications check box is not currently selected, select it.
  3. Verify that notifications are configured how you want them.
  4. Force quit the ForgeRock Authenticator app.
  5. Re-launch the ForgeRock Authenticator app.

See Apple: Use notifications on your iPhone, iPad, and iPod touch for further information.

Connection issues with APNs

Another reason push notifications may not be working is due to an issue connecting to the APNs. In some support articles, Apple suggests disabling cellular data and testing pushes. This approach helps pinpoint if it is the carrier having an issue with the APNs and not finding the phone.

A weak connection can result in a delayed push or not receiving a push at all.

  • You can force Wi-Fi to test whether the issue is related to cellular data:
    • Navigate to Settings > Cellular on the iOS device.
    • Disable Cellular Data.
    • Connect to Wi-Fi and attempt another authentication.
  • You can force cellular to test whether the issue is related to your Wi-Fi connection:
    • Navigate to Settings > Wi-Fi and disable your Wi-Fi connection.
    • Navigate to Settings > Cellular.
    • Enable Cellular Data, then attempt another authentication.

Check required ports and hosts

Your wireless network must also allow the following ports for proper communication with Apple's servers. Check that your Firewall rules are not blocking any of these listed ports:

  • TCP port 5223 (used by devices to communicate to the APNs servers)
  • TCP port 2195 (used to send notifications to the APNs)
  • TCP port 2196 (used by the APNs feedback service)
  • TCP port 2197 (used to send notifications to the APNs)
  • TCP port 443 (used as a fallback on Wi-Fi only, when devices are unable to communicate to APNs on port 5223)

The APNs servers use load balancing, so your devices won't always connect to the same public IP address for notifications. It's best to let your device access these ports on the entire 17.0.0.0/8 address block, which is assigned to Apple.

If you can't allow access to the entire 17.0.0.0/8 address block, open access via the same ports to these network ranges on IPv4 or IPv6:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23

IPv6

  • 2620:149:a44::/48
  • 2403:300:a42::/48
  • 2403:300:a51::/48
  • 2a01:b740:a42::/48

See Apple: If your Apple devices aren't getting Apple push notifications for further information.

Issues caused by Wi-Fi Assist and VPN usage

The Wi-Fi Assist feature, which is enabled by default and automatically switches to cellular data when you have a poor Wi-Fi connection, can cause Push Notification issues if you are using a VPN on your iOS device. If you use a VPN on your device and get connection errors from ForgeRock Authenticator, you can disable Wi-Fi Assist as follows:

  1. Navigate to Settings > Cellular on the iOS device.
  2. Scroll down to the very end and disable Wi-Fi Assist.

See Apple: About Wi-Fi Assist for further information.

Check Date and Time settings

Make sure the system time is set automatically and the Timezone is correct on the iOS device by navigating to Settings > General > Date & Time.

See Also

How To Configure Service Credentials (Push Auth, Docker) in Backstage

User cannot log in using Push authentication in AM (All versions)

FAQ: Push Services in Identity Cloud and AM

Apple: Troubleshooting Push Notifications

Apple: Use notifications on your iPhone, iPad, and iPod touch

Apple: If your Apple devices aren't getting Apple push notifications

Apple: About Wi-Fi Assist


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.