I was just battling this issue. I found that I was able to receive push notifications while on WiFi after I unblocked port 5228.
This is copied from a McAfee website:
NOTE: Apple and Google reserve the right to change the IP range of each address, which can result in these IP ranges changing frequently and/or without warning. Therefore McAfee does not specify the IP ranges of these addresses, and recommends that only the Fully Qualified Domain Name (FQDN) is used for all outgoing ports. If you decide to use specific IP addresses instead of FQDNs for these addresses you are doing so at your own risk, and the functionality and stability of your EMM environment cannot be guaranteed.
Apple Push Notification: Outbound from the Server that hosts the EMM Push Notifier Component to: gateway.push.apple.com
Apple Feedback Service: Outbound from the Server that hosts the EMM Push Notifier Component to: feedback.push.apple.com
443 Android C2DM - Outbound from the Server that hosts the EMM Push Notifier Component to: android.apis.google.com and google.com
LDAP service: from EMM Hub to LDAP server (internal network) for authentication
1433 EMM Hub to SQL server (internal network)
IMPORTANT: The following ports should be opened when devices are connected to the Internet through a corporate WiFi router that is behind a company firewall. For those devices to reach the Apple/Google Push Notification and C2DM servers, these ports must also be allowed outbound on the firewall.
From internal Corporate WiFi router outbound to Apple Push Notification servers: gateway.push.apple.com, feedback.push.apple.com
5228 From internal Corporate WiFi router outbound to Google C2DM servers: android.apis.google.com and google.com