Additional Firewall Rules

The following table outlines additional firewall rules from the internal corporate network to the Internet.

  • Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.

  • MobileIron Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.

 

table 1. Additional Firewall Rules

Requirement

Description

Port

iOS Features

For Apple Activation Lock support, open HTTPS 443 to:

https://deviceservices-external.apple.com.

For Apple DEP support, open HTTPS 443 to:
https://mdmenrollment.apple.com.

These ports are not required if not using iOS MDM.

HTTPS 443

iOS (Wi‑Fi Only) Devices

Open TCP 5223 to open 17.0.0.0/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.

For devices on closed networks:

  • ax.init.itunes.apple.com: Current file-size limit for downloading apps over the cellular network.
  • ocsp.apple.com: Status of the distribution certificate used to sign the provisioning profile.

TCP 5223

Android devices

To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.

For Android enterprise:

  • https://www.googleapis.com/androidenterprise
  • https://accounts.google.com/o/oauth2/token

For Help@Work for Android and iOS: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).

TCP 5228
TCP 5229
TCP 5230
HTTPS 443

Docs@Work License Server

Open HTTPS 443 to the following URLs to allow access to the Docs@Work license server:

  • https://api.polariskit.com/*
  • https://enterprise.infraware.net/*
  • https://pspdfkit-license-service-1.com/*
  • https://pspdfkit-license-service-2.com/*
  • https://pspdfkit-license-service-3.com/*
  • https://pspdfkit-license-service-4.com/*

HTTPS 443

AppConfig Community Repository

Open port 443 (HTTPS) to the following URLs to allow access to the Docs@Work license server:

  • https://api.appthority.com/applications/bulk_query (Appthority)
  • https://api.mqcdn.com/sdk/mapquest-js/v1.0.0/mapquest.css
    (for the find my phone mapping and other options)
  • pki-ws.symauth.com (SymantecManagedPKI)
  • https://onestore.microsoft.com (BusinessStorePortal(BSP))
  • https://bspmts.mp.microsoft.com/V1 (BusinessStorePortal(BSP))
  • https://mobility.threatpulse.com:9443 (BlueCoat)
  • https://login.microsoftonline.com/{tenant_id}/oauth2/authorize
    (MicrosoftGraph)
  • https://eu-api.samsungknox.com (Samsung E-FOTA)
  • https://has.spserv.microsoft.com/HealthAttestation/
    ValidateHealthCertificate/v1 (Windows device attestation)
  • https://webapi.teamviewer.com/api/v1/
    (AndroidHelp@Work)
  • https://system.globalsign.com/cr/ws/GasOrderService
    (GlobalSign)
  • https://appconfig.cdn.mobileiron.com
    (iOSManagedAppConfigcommunity)
  • https://graph.windows.net/%s/devices/deviceId_%s?api-version=1.6
    (Azureactivedirectory)

HTTPS 443

Related topics