The following TCP outbound ports need to be open:
2195 - Apple Push Notification Service.
2196 - Apple Push Notification Feedback Service.
5223 - Apple Push Notification Listening Service. This one must be open on any network where iOS devices are confined to WiFi internally, but can be left closed if all iOS devices being managed have access to a cellular data network.
Note: A higher level of security can also be implemented for these ports which would involve setting the firewall rules to limit them to the 126.96.36.199/8 address block which is assigned to and reserved for Apple Inc.
The following TCP inbound ports need to be open:
A port designated for communication with HTTP and HTTPS (Example: 80/443)