Allowing access to the App Gateway
In order to create a MTD local action policy, you must grant Ivanti EPMM access to the App Gateway, so it can download threat definitions. See the following table for port information required for registering with the App Gateway.
Before you begin
Be sure you have completed Adding Ivanti EPMM as your MDM server in MTD console
External and Internet rules
The following table outlines the firewall rules required for Internet/Outside access for:
- MTD Ivanti EPMM Appliance (physical or virtual) - All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
- Ivanti Sentry Appliance (physical or virtual, ActiveSync / AppTunnel) - the Ivanti Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.
MTD Ivanti EPMM Appliance and the Ivanti Sentry Appliance items communicate with each other.
Traffic from Internet/Outside to Ivanti EPMM - Ivanti EPMM is in the DMZ
|Ivanti Mobile Threat Defense scanning on iOS||
Voice network service (VNS) gateway URL:
Registration URL: https://appgw.mobileiron.com/api/v1/gateway/vns/organization
Traffic from Ivanti EPMM to Internet/Outside - Ivanti EPMM is in the DMZ
|Apple APNS and MDM Services||
Open ports 443 (HTTPS) and 2195, 2196, 2197 (TCP) between Ivanti EPMM and Apple’s Apple Push Notification Service (APNS) network (126.96.36.199/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.
HTTPS 443: api.push.apple.com
TCP 2196: feedback.push.apple.com
TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)
HTTPS 443, TCP 2195, 2196, 2197
support.mobileiron.com (188.8.131.52/23 ) for software update repository and upload of showtech log.
Open HTTPS 443 (184.108.40.206/23) for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS.a.mobileiron.net for anonymized statistics collection.
As the IP range for CDN sites (supportcdn.mobileiron.com, for example) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.
Additional Firewall Rules
The following table outlines additional firewall rules from the internal corporate network to the Internet.
- Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.
- Ivanti Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.
|iOS (Wi‑Fi only) Devices||
Open TCP 5223 to open 220.127.116.11/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.
For devices on closed networks:
To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. FCM/GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. FCM/GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.
For Android Enterprise: https://www.googleapis.com/androidenterprise https://accounts.google.com/o/oauth2/token
For Help@Work for Android: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).
For the full list of ports, see the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.
When registering MTD for the first time, an Updating Configuration message displays prompting the device user: "Do you agree to allow your company to collect the list of apps on this device to report to the Ivanti Mobile Threat Defense service in order to protect your company's data?" The device user must tap Agree. If not, the Ivanti Mobile@Work registration will not work and the device user will need to re-register and agree.