7.1 Firewall Configuration

Typically, MDM Servers must reside in the DMZ thereby allowing mobile devices to make inbound connections even when they are outside the firewall. Like other external-facing servers, the ZENworks MDM Server faces the Internet from within the DMZ. This lets the enterprise firewall protect the MDM Server from external attacks.

7.1.1 Firewall Ports

To enable both internal and external access to the MDM server, certain firewall ports must be open. The ZENworks MDM Server accepts most inbound connections using HTTPS on port 443.

Apple Push Notification service: Both the MDM server and the iOS clients communicate with each other using the Apple Push Notification service (APNs). For outbound connections, the MDM server uses ports 443 and 2197 to Apple’s 17.0.0.0/8 block. Port 5223 must be open in the firewall to enable mobile devices to connect to the APNs server, so that the APNs can send messages to these mobile devices that are within your network.

Firebase Cloud Messaging: Both the MDM server and the Android clients communicate with each other using the Firebase Cloud Messaging (FCM) service. For outbound connections, open port 443 to connect to the FCM service from the MDM Server as well as the Android clients. For mobile devices that are within your network, to receive messages, FCM typically uses port 5228, but it sometimes uses 5229 and 5230.

A detailed list of the ports to be to enabled for each ZENworks feature is provided in the next section.

7.1.2 Endpoint URLs

The MDM Server and the end-user devices must be able to reach certain endpoints to access apps and services. The endpoint URLs are listed below:

Apple

Feature

URL

Port

Additional Information

Server Connections

Apple Push Notification Service

See Enabling Push Notifications for iOS Devices

https://api.push.apple.com/

TCP 443

Apple Device Enrollment Program

See Enrolling devices using the Apple Device Enrollment Program

https://mdmenrollment.apple.com/session

HTTP/HTTPS 80 or 443

 

Apple Volume Purchase Program

See Distributing VPP Apps

https://vpp.itunes.apple.com/WebObjects/MZFinance.woa/wa/VPPServiceConfigSrv

HTTP/HTTPS 80 or 443

This is a static URL based on which the dynamic URLs to perform specific VPP operations can be retrieved.

iOS App Store App Bundle

See Provisioning Applications

*.apple.com

*.mzstatic.com

itun.es

appsto.re

macappsto.re

apps.itunes.com

apps.itunes-nocookie.com

TCP 443

App Store apps

Device Connections

Apple Push Notification Service

See Enabling Push Notifications for iOS Devices

courier.push.apple.com(17.0.0.0/8)

TCP 5223 and 443

Android

Feature

URL

Port

Additional Information

Server Connections

Firebase Cloud Messaging

See Enabling Push Notifications

https://fcm.googleapis.com/fcm

TCP Port 443, 5228-5230

 

Android Enterprise

See Enrolling Android Devices

https://www.googleapis.com

TCP 443

Used to invoke the Google EMM API in the ZENloader and ZENserver services.

play.google.com

www.google.com

TCP 443

Google Play Store

Play Enterprise re-enroll

fonts.googleapis.com

*.gstatic.com

TCP 443

Google fonts

User Generated Content (e.g. app icons in the store)

accounts.google.com

accounts.google.com.*

TCP 443

Account Authentication

Country-specific account auth domains

crl.pki.goog

ocsp.pki.goog

TCP 443

Certificate Validation

apis.google.com

ajax.googleapis.com

TCP 443

GCM, other Google web services, and iFrame JS

clients1.google.com

payments.google.com

google.com

TCP 443

App approval

notifications.google.com

TCP 443

Desktop/Mobile Notifications

Device Connections

 

 

 

Firebase Cloud Messaging

See Enabling Push Notifications

fcm.googleapis.com

fcm-xmpp.googleapis.com

TCP/443,5228-5230

Firebase Cloud Messaging (Find My Device, EMM Console -DPC communication, like pushing configs)

fcm-xmpp.googleapis.com

TCP/5235,5236

When using persistent bidirectional XMPP connection to FCM server.

Android Enterprise

See Enrolling Android Devices

play.google.com

android.com

google-analytics.com

googleusercontent.com

*gstatic.com

*gvt1.com

*.ggpht.com

dl.google.com

dl-ssl.google.com

android.clients.google.com

*gvt2.com

*gvt3.com

TCP 443TCP,UDP/5228-5230

Google Play and updates

gstatic.com,googleusercontent.com - contains User Generated Content (e.g. app icons in the store).*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com- Download apps and updates, Play Store APIs

gvt2.com and gvt3.com are used for Play connectivity monitoring for diagnostics.

*.googleapis.com

TCP 443

EMM/Google APIs/PlayStore APIs

accounts.google.com

accounts.google.[country]

TCP 443

AuthenticationFor accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

pki.google.com

clients1.google.com

TCP 443

Certificate Revocation list checks for Google-issued certificates

clients2.google.com

clients3.google.com

clients4.google.com

clients5.google.com

clients6.google.com

TCP 443

Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others.

omahaproxy.appspot.com

TCP 443

Chrome updates.

Intune

Feature

URL

Port

Additional Information

Intune App Protection

See Protecting Intune Apps

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

HTTP/HTTPS 80 or 443

Get Microsoft Graph API configuration details

 

https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections

HTTP/HTTPS 80 or 443

Test the validity of the access token.

 

https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppStatuses/managedAppList

HTTP/HTTPS 80 or 443

List all the apps while creating the Intune App Protection policy.

 

https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections

HTTP/HTTPS 80 or 443

Create and assign the iOS Intune App Protection policy.

 

https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections

HTTP/HTTPS 80 or 443

Create and assign the Android Intune App Protection policy.

 

https://graph.microsoft.com/v1.0/groups

HTTP/HTTPS 80 or 443

Lists the groups present in Azure.

 

https://graph.microsoft.com/v1.0/users

HTTP/HTTPS 80 or 443

Lists the users present in Azure.

 

https://graph.microsoft.com/v1.0/users/{AZURE_USER_GUID}/wipeManagedAppRegistrationsByDeviceTag

HTTP/HTTPS 80 or 443

For the wipe action.

 

https://graph.microsoft.com/v1.0/users/{AZURE_USER_GUID}/managedAppRegistrations

HTTP/HTTPS 80 or 443

Lists the registered apps on the user’s device.

 

https://graph.microsoft.com/v1.0/deviceAppManagement

HTTP/HTTPS 80 or 443

Obtain the wipe status of the device.