Use the Settings > Port Settings > Port Configuration options to change settings for the following MobileIron services:
- Sync TLS
- MIFS Admin
- Sentry Service
- [email protected]
- Local CA Certificate Revocation List
Port setting considerations
- If you enable client mutual certificate authentication, you must change the [email protected] Port setting if you are using iOS devices with the [email protected] web clip using certificate authentication.
- Other changes to the default port settings are seldom necessary.
- Making changes to these settings sometimes requires that you re-register devices, so use caution when making changes.
Changing port settings
- Log into System Manager.
- Go to Settings > Port Setting to open the Port Configuration window.
- Edit the fields, as necessary.
Refer to the Port Configuration window table for details.
The port and protocol default values for newly-issued Local CA Certificate Revocation List (CRL) distribution points (CDP) have changed. Beginning with the 10.4 Ivanti EPMM release, new Local CDPs will use port 8080 and protocol HTTP by default. You don't need to generate a new CSR or replace the old certificates. Local CDPs that were configured to use HTTPS through port 443 will still be reachable.
Changing the default CRL protocol and port configuration
Use the Settings > Port Settings > CRL (Certificate Revocation List) protocol and port configuration options to change the default protocol and port for all local certificate authorities (CA).
For new installations, the default value for the certification revocation list (CRL) is protocol HTTP and port 8080. The need to change the default port is rare. However, if you do modify the CRL port, verify that no other Ivanti EPMM service is using that port. For example, port 9997 is the default value for Sync TLS, and using the same port for CRL will result in service disruptions.
- Log into System Manager.
- Go to Settings > Port Settings to open the Port Configuration window.
- Scroll down to the CRL (Certificate Revocation List) protocol and port configuration section.
Select the default CRL protocol.
- CRL Protocol: HTTPS or HTTP
CRL Port: defaults to the port supporting the selected protocol. If you choose HTTP, you can leave the default (8080), or modify the CRL port number.
When the CRL port and protocol changes, verify that the old port is open on the network firewall. Otherwise, Apps (such as [email protected]) using certificates from before the port change will timeout during the certificate revocation verification check.
- Click Apply.
- Click Save (in the top-right of the page) to globally save your choices when the system is rebooted.
Verifying Sentry connectivity
To verify that Standalone Sentry is successfully connecting with Core:
- Log into System Manager for the Standalone Sentry.
- Go to Troubleshooting > Service Diagnosis.
- For EMM service, click Verify.
- The Status for the EMM service should show Success.
Port Configuration window
The following table summarizes fields and descriptions in the Port Configuration window:
Enter the port. However, changing this port from the default port 9997 is rare. This port cannot be the same as any other ports specified in the Port Configuration section.
This port is used for [email protected] for iOS and Android registration and device check-ins and AppConnect check-ins when mutual authentication is not enabled.
Select Disable to close this port only if all of the following are true:
For more information, see “Mutual authentication between devices and Core” in the Ivanti EPMM Device Management Guide.
MIFS Admin Port
You can change the MIFS Admin port from port 443 (the default) to port 8443. Using port 443 enhances the security of communications across the port because port 8443 can be blocked.
Sentry Service Port
The Standalone Sentry is called the Sentry service port. Standalone Sentry communicates with Ivanti EPMM over port 8443 to get device information. The default Sentry service port is port 8443.
Using port 8443 as the Sentry service port adds an additional layer of security. Typically, port 8443 is not accessible on the public Internet. Using port 8443 helps ensure that the Sentry service port is protected against unauthorized external access.
MobileIron recommends that port 8443 is used as the Sentry service port. If your firewall rules do not allow connections to the Sentry service port on 8443, you can configure 443 as the Sentry service port.
If the Sentry service port is 8443, Ivanti EPMM will only respond to requests on port 8443. Requests to 443 will be redirected to 8443. If the Sentry service port is 443, Ivanti EPMM will only respond to requests on port 443. Requests to 8443 will be redirected to 443.
If the Sentry service port is 443, it is important that you define a Portal ACL for the Sentry connection.
[email protected] Port
This port is used by [email protected] on iOS, Android, and macOS devices to communicate with Core. By default, it is port 443.
Change the port in these cases:
If you change the port, MobileIron recommends port 7443. However, you can use any port except the port that the MIFS Admin Port uses, which is either 443 or 8443.
Atlas is a legacy product of Ivanti EPMM versions prior to Ivanti EPMM 10.2.0.0. This feature is a MobileIron service which aggregates data from multiple Cores, extending reporting and management services.
The port is 443 by default, but you have the option to change it when enabled.
Other port services not configurable from the UI include:
- Sync service port – Default port is 9999 and cannot be changed.
- Provisioning protocol – Default protocol is HTTPS and cannot be changed.
- Provisioning port – Default port is 443 cannot be changed