For anyone who happens to stumble into this post, the answer is to whitelist the provisioning server and push server IPs, documented here: