Preparing for Android Enterprise device support
This section describes the minimum network requirements for Android Enterprise devices. Android devices generally do not require you to open inbound ports on the firewall in order to function correctly. However, there are a number of outbound connections that administrators need to be aware of when setting up their network environments for Android Enterprise devices.
The list of network changes provided in the following table is not exhaustive and may change. It covers known endpoints for current and past versions of enterprise management API and GMS apps.
In addition to the ports listed in the following table, Android Enterprise devices require access to Ivanti Neurons for MDM.
The following table lists the requirements for Android Enterprise devices:
| Destination Host | Ports | Purpose |
|---|---|---|
|
play.google.com android.com google-analytics.com googleusercontent.com gstatic.com *.gvt1.com *ggpht.com dl.google.com android.clients.google.com |
TCP/443 TCP, UDP/5528-5230 |
Google Play and updates (APKs, app logos, etc.)
gstatic.com, googleusercontent.com - contains User Generated Content (for example, app icons in the store) *.gvt.com, *.ggpht, dl.google.com, android.clients.google.com - Download apps and updates, PlayStore APIs |
| *googleapis.com | TCP/443 | UEM/Google APis/PlayStore APIs |
| accounts.google.com | TCP/443 | Authentication |
|
fcm.googleapis.com fcm-xmpp.googleapis.com |
TCP/443, 5228-5230 | Firebase Cloud Messaging (for example, Find My Device, UEM Console <-> DPC communication, like pushing configs) |
|
pki.google.com clients1.google.com |
TCP/443 | Certificate Revocation |
| clients[2...6]. google.com | TCP/443 | Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others. |
Google does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP block listed in Google's ASN of 15169 listed here http://bgp.he.net/AS15169#_prefixes.
IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See https://peering.google.com/ for more information about Google's Edge Network.