5.2 Firewall Configuration

Typically, MDM Servers must reside in the DMZ thereby allowing mobile devices to make inbound connections even when they are outside the firewall. Like other external-facing servers, the ZENworks MDM Server faces the Internet from within the DMZ. This lets the enterprise firewall protect the MDM Server from external attacks.

5.2.1 Firewall Ports

To enable both internal and external access to the MDM server, certain firewall ports must be open. The ZENworks MDM Server accepts most inbound connections using HTTPS on port 443.

Apple Push Notification service: Both the MDM server and the iOS clients communicate with each other using the Apple Push Notification service (APNs). For outbound connections, the MDM server uses ports 2195 and 2196 to Appleā€™s 17.0.0.0/8 block. Port 5223 must be open in the firewall to enable mobile devices to connect to the APNs server, so that the APNs can send messages to these mobile devices that are within your network.

Firebase Cloud Messaging: Both the MDM server and the Android clients communicate with each other using the Firebase Cloud Messaging (FCM) service. For outbound connections, open port 443 to connect to the FCM service from the MDM Server as well as the Android clients. For mobile devices that are within your network, to receive messages, FCM typically uses port 5228, but it sometimes uses 5229 and 5230.

A detailed list of the ports to be to enabled for each ZENworks feature is provided in the next section.

5.2.2 Endpoint URLs

The MDM Server and the end-user devices must be able to reach certain endpoints to access apps and services. The endpoint URLs are listed below:

Apple

Feature

URL

Port

Additional Information

Server Connections

Apple Push Notification Service

See Enabling Push Notifications for iOS Devices

gateway.push.apple.com:2195

feedback.push.apple.com:2196

TCP 2195/2196

Used for validating the APNS certificate. This is not an http connection but an SSL Socket connection.

gateway.push.apple.com:2195 is used for sending remote notifications.

feedback.push.apple.com:2196 is used to receive feedback.

https://api.push.apple.com/

TCP 443

Apple Device Enrollment Program

See Integrating ZENworks with Android Enterprise

https://mdmenrollment.apple.com/session

HTTP/HTTPS 80 or 443

 

Apple Volume Purchase Program

See Subscribing to Apple VPP

https://vpp.itunes.apple.com/WebObjects/MZFinance.woa/wa/VPPServiceConfigSrv

HTTP/HTTPS 80 or 443

This is a static URL based on which the dynamic URLs to perform specific VPP operations can be retrieved.

iOS App Store App Bundle

See Provisioning Applications

*.apple.com

*.mzstatic.com

itun.es

appsto.re

macappsto.re

apps.itunes.com

apps.itunes-nocookie.com

TCP 443

App Store apps

Device Connections

Apple Push Notification Service

See Enabling Push Notifications for iOS Devices

courier.push.apple.com(17.0.0.0/8)

TCP 5223 and 443

Android

Feature

URL

Port

Additional Information

Server Connections

Firebase Cloud Messaging

See Enabling Push Notifications

https://fcm.googleapis.com/fcm

TCP Port 443, 5228-5230

 

Android Enterprise

See Integrating ZENworks with Android Enterprise

https://www.googleapis.com

TCP 443

Used to invoke the Google EMM API in the ZENloader and ZENserver services.

play.google.com

www.google.com

TCP 443

Google Play Store

Play Enterprise re-enroll

fonts.googleapis.com

*.gstatic.com

TCP 443

Google fonts

User Generated Content (e.g. app icons in the store)

accounts.google.com

accounts.google.com.*

TCP 443

Account Authentication

Country-specific account auth domains

crl.pki.goog

ocsp.pki.goog

TCP 443

Certificate Validation

apis.google.com

ajax.googleapis.com

TCP 443

GCM, other Google web services, and iFrame JS

clients1.google.com

payments.google.com

google.com

TCP 443

App approval

notifications.google.com

TCP 443

Desktop/Mobile Notifications

Device Connections

 

 

 

Firebase Cloud Messaging

See Enabling Push Notifications

fcm.googleapis.com

fcm-xmpp.googleapis.com

TCP/443,5228-5230

Firebase Cloud Messaging (Find My Device, EMM Console -DPC communication, like pushing configs)

fcm-xmpp.googleapis.com

TCP/5235,5236

When using persistent bidirectional XMPP connection to FCM server.

Android Enterprise

See Integrating ZENworks with Android Enterprise

play.google.com

android.com

google-analytics.com

googleusercontent.com

*gstatic.com

*gvt1.com

*.ggpht.com

dl.google.com

dl-ssl.google.com

android.clients.google.com

*gvt2.com

*gvt3.com

TCP 443TCP,UDP/5228-5230

Google Play and updates

gstatic.com,googleusercontent.com - contains User Generated Content (e.g. app icons in the store).*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com- Download apps and updates, Play Store APIs

gvt2.com and gvt3.com are used for Play connectivity monitoring for diagnostics.

*.googleapis.com

TCP 443

EMM/Google APIs/PlayStore APIs

accounts.google.com

accounts.google.[country]

TCP 443

AuthenticationFor accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

pki.google.com

clients1.google.com

TCP 443

Certificate Revocation list checks for Google-issued certificates

clients2.google.com

clients3.google.com

clients4.google.com

clients5.google.com

clients6.google.com

TCP 443

Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others.

omahaproxy.appspot.com

TCP 443

Chrome updates.