Typically, MDM Servers must reside in the DMZ thereby allowing mobile devices to make inbound connections even when they are outside the firewall. Like other external-facing servers, the ZENworks MDM Server faces the Internet from within the DMZ. This lets the enterprise firewall protect the MDM Server from external attacks.
To enable both internal and external access to the MDM server, certain firewall ports must be open. The ZENworks MDM Server accepts most inbound connections using HTTPS on port 443.
Apple Push Notification service: Both the MDM server and the iOS clients communicate with each other using the Apple Push Notification service (APNs). For outbound connections, the MDM server uses ports 443 and 2197 to Apple’s 17.0.0.0/8 block. Port 5223 must be open in the firewall to enable mobile devices to connect to the APNs server, so that the APNs can send messages to these mobile devices that are within your network.
Firebase Cloud Messaging: Both the MDM server and the Android clients communicate with each other using the Firebase Cloud Messaging (FCM) service. For outbound connections, open port 443 to connect to the FCM service from the MDM Server as well as the Android clients. For mobile devices that are within your network, to receive messages, FCM typically uses port 5228, but it sometimes uses 5229 and 5230.
A detailed list of the ports to be to enabled for each ZENworks feature is provided in the next section.
The MDM Server and the end-user devices must be able to reach certain endpoints to access apps and services. The endpoint URLs are listed below:
Feature |
URL |
Port |
Additional Information |
---|---|---|---|
Server Connections |
|||
Apple Push Notification Service |
https://api.push.apple.com/ |
TCP 443 |
|
Apple Device Enrollment Program See Enrolling devices using the Apple Device Enrollment Program |
https://mdmenrollment.apple.com/session |
HTTP/HTTPS 80 or 443 |
|
Apple Volume Purchase Program |
https://vpp.itunes.apple.com/WebObjects/MZFinance.woa/wa/VPPServiceConfigSrv |
HTTP/HTTPS 80 or 443 |
This is a static URL based on which the dynamic URLs to perform specific VPP operations can be retrieved. |
iOS App Store App Bundle |
*.apple.com *.mzstatic.com itun.es appsto.re macappsto.re apps.itunes.com apps.itunes-nocookie.com |
TCP 443 |
App Store apps |
Device Connections |
|||
Apple Push Notification Service |
courier.push.apple.com(17.0.0.0/8) |
TCP 5223 and 443 |
Feature |
URL |
Port |
Additional Information |
---|---|---|---|
Server Connections |
|||
Firebase Cloud Messaging |
https://fcm.googleapis.com/fcm |
TCP Port 443, 5228-5230 |
|
Android Enterprise |
https://www.googleapis.com |
TCP 443 |
Used to invoke the Google EMM API in the ZENloader and ZENserver services. |
play.google.com www.google.com |
TCP 443 |
Google Play Store Play Enterprise re-enroll |
|
fonts.googleapis.com *.gstatic.com |
TCP 443 |
Google fonts User Generated Content (e.g. app icons in the store) |
|
accounts.google.com accounts.google.com.* |
TCP 443 |
Account Authentication Country-specific account auth domains |
|
crl.pki.goog ocsp.pki.goog |
TCP 443 |
Certificate Validation |
|
apis.google.com ajax.googleapis.com |
TCP 443 |
GCM, other Google web services, and iFrame JS |
|
clients1.google.com payments.google.com google.com |
TCP 443 |
App approval |
|
notifications.google.com |
TCP 443 |
Desktop/Mobile Notifications |
|
Device Connections |
|
|
|
Firebase Cloud Messaging |
fcm.googleapis.com fcm-xmpp.googleapis.com |
TCP/443,5228-5230 |
Firebase Cloud Messaging (Find My Device, EMM Console -DPC communication, like pushing configs) |
fcm-xmpp.googleapis.com |
TCP/5235,5236 |
When using persistent bidirectional XMPP connection to FCM server. |
|
Android Enterprise |
play.google.com android.com google-analytics.com googleusercontent.com *gstatic.com *gvt1.com *.ggpht.com dl.google.com dl-ssl.google.com android.clients.google.com *gvt2.com *gvt3.com |
TCP 443TCP,UDP/5228-5230 |
Google Play and updates gstatic.com,googleusercontent.com - contains User Generated Content (e.g. app icons in the store).*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com- Download apps and updates, Play Store APIs gvt2.com and gvt3.com are used for Play connectivity monitoring for diagnostics. |
*.googleapis.com |
TCP 443 |
EMM/Google APIs/PlayStore APIs |
|
accounts.google.com accounts.google.[country] |
TCP 443 |
AuthenticationFor accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk. |
|
pki.google.com clients1.google.com |
TCP 443 |
Certificate Revocation list checks for Google-issued certificates |
|
clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com |
TCP 443 |
Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others. |
|
omahaproxy.appspot.com |
TCP 443 |
Chrome updates. |
Feature |
URL |
Port |
Additional Information |
---|---|---|---|
Intune App Protection |
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration |
HTTP/HTTPS 80 or 443 |
Get Microsoft Graph API configuration details |
|
https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections |
HTTP/HTTPS 80 or 443 |
Test the validity of the access token. |
|
https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppStatuses/managedAppList |
HTTP/HTTPS 80 or 443 |
List all the apps while creating the Intune App Protection policy. |
|
https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections |
HTTP/HTTPS 80 or 443 |
Create and assign the iOS Intune App Protection policy. |
|
https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections |
HTTP/HTTPS 80 or 443 |
Create and assign the Android Intune App Protection policy. |
|
https://graph.microsoft.com/v1.0/groups |
HTTP/HTTPS 80 or 443 |
Lists the groups present in Azure. |
|
https://graph.microsoft.com/v1.0/users |
HTTP/HTTPS 80 or 443 |
Lists the users present in Azure. |
|
https://graph.microsoft.com/v1.0/users/{AZURE_USER_GUID}/wipeManagedAppRegistrationsByDeviceTag |
HTTP/HTTPS 80 or 443 |
For the wipe action. |
|
https://graph.microsoft.com/v1.0/users/{AZURE_USER_GUID}/managedAppRegistrations |
HTTP/HTTPS 80 or 443 |
Lists the registered apps on the user’s device. |
|
https://graph.microsoft.com/v1.0/deviceAppManagement |
HTTP/HTTPS 80 or 443 |
Obtain the wipe status of the device. |