NTP (Network Time Protocol)

NTP is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

What to Know

Accurate time is non-negotiable for secure communications. Certificate validation checks timestamps to verify certificates are within their valid period, and even slight clock drift can cause valid certificates to appear expired or not yet valid. Kerberos authentication requires client and server clocks to be within 5 minutes of each other, and larger time skew causes authentication failures. Audit logs, troubleshooting timelines, and security incident investigations all rely on accurate timestamps across systems. Without synchronized time, distributed systems cannot reliably correlate events or establish causality.

Time drift can occur gradually on devices that sleep frequently or remain disconnected from networks for extended periods. Devices with incorrect clocks experience enrollment failures, unable to validate MDM server certificates, and authentication issues when accessing network resources. MDM can enforce time synchronization settings, but network firewalls must permit NTP traffic (UDP port 123) for devices to reach time servers.

Common Scenarios

Enterprise IT: Corporate networks typically allow devices to sync with external NTP servers (like time.apple.com) or provide internal NTP servers synchronized to authoritative sources. IT must ensure firewalls permit outbound NTP traffic and that internal time servers are reliably synchronized to prevent cascading time errors across the fleet. Devices traveling between time zones may experience time-related authentication failures if timezone detection is incorrect or disabled. Certificate validation errors often trace back to incorrect system clocks that make valid certificates appear expired.

MSP: MSPs should verify time synchronization when troubleshooting client enrollment failures or authentication issues. Devices with incorrect clocks often exhibit multiple seemingly unrelated problems that all stem from time skew. MSPs managing air-gapped or highly restricted networks must ensure clients provide accessible NTP servers, as devices cannot sync time without network access. Certificate expiration monitoring should account for device clock accuracy, as incorrectly set clocks may not detect approaching certificate expiration until failures occur.

Education: School networks often restrict outbound traffic aggressively, inadvertently blocking NTP and causing time drift on student devices. Shared iPads that sleep for extended periods may experience significant clock drift if they cannot reach time servers upon wake. Education IT should configure MDM to permit time.apple.com access or provide internal NTP servers accessible to all device VLANs. Time synchronization issues manifest as “Certificate not valid” errors during app downloads or profile installations.

In Addigy

Addigy-managed devices follow standard Apple behavior for time synchronization, typically using time.apple.com unless configured otherwise. Administrators can deploy custom NTP configuration profiles if organizational policy requires specific time servers. Addigy’s device facts collection includes system time information that can reveal devices with significant clock drift. When troubleshooting certificate validation errors or authentication failures, Addigy support often checks device time accuracy as an early diagnostic step.

For organizations with strict network controls that block external NTP, Addigy can help configure custom time server settings deployed via MDM profiles. Addigy’s monitoring can identify devices that haven’t checked in for extended periods, which may have experienced clock drift that prevents successful MDM communication.