Additional firewall rules

The following table outlines additional firewall rules from the internal corporate network to the Internet.

  • Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.

  • Ivanti Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.

 

Table 10.  Additional firewall rules

Requirement

Description

Port

iOS Features

For Apple Activation Lock support, open HTTPS 443 to:

https://deviceservices-external.apple.com.

For Apple DEP support, open HTTPS 443 to:
https://mdmenrollment.apple.com.

These ports are not required if not using iOS MDM.

HTTPS 443

iOS (Wi‑Fi Only) Devices

Open TCP 5223 to open 17.0.0.0/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.

For devices on closed networks:

  • ax.init.itunes.apple.com: Current file-size limit for downloading apps over the cellular network.
  • ocsp.apple.com: Status of the distribution certificate used to sign the provisioning profile.

TCP 5223

Android devices

To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.

For Android Enterprise:

  • https://www.googleapis.com/androidenterprise
  • https://accounts.google.com/o/oauth2/token

For Help@Work for Android and iOS: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).

TCP 5228
TCP 5229
TCP 5230
HTTPS 443

Ivanti Docs@Work License Server

Open HTTPS 443 to the following URLs to allow access to the Ivanti Docs@Work license server:

  • https://api.polariskit.com

Note: This section only applies to corporate fire-wall rules. It does apply to Ivanti EPMM connections.

HTTPS 443

AppConfig Community Repository

Open port 443 (HTTPS) to the following URLs to allow access to the Ivanti Docs@Work license server:

  • https://api.appthority.com/applications/bulk_query (Appthority)
  • https://api.mqcdn.com/sdk/mapquest-js/v1.0.0/mapquest.css
    (for the find my phone mapping and other options)
  • pki-ws.symauth.com (SymantecManagedPKI)
  • https://onestore.microsoft.com (BusinessStorePortal(BSP))
  • https://bspmts.mp.microsoft.com/V1 (BusinessStorePortal(BSP))
  • https://mobility.threatpulse.com:9443 (BlueCoat)
  • https://login.microsoftonline.com/{tenant_id}/oauth2/authorize
    (MicrosoftGraph)
  • https://eu-api.samsungknox.com (Samsung E-FOTA)
  • https://has.spserv.microsoft.com/HealthAttestation/
    ValidateHealthCertificate/v1 (Windows device attestation)
  • https://webapi.teamviewer.com/api/v1/
    (AndroidHelp@Work)
  • https://system.globalsign.com/cr/ws/GasOrderService
    (GlobalSign)
  • https://appconfig.cdn.mobileiron.com
    (iOSManagedAppConfigcommunity)
  • https://graph.windows.net/%s/devices/deviceId_%s?api-version=1.6
    (Azureactivedirectory)

HTTPS 443

AppConfig Community Repository outbound firewall port setting

Ivanti EPMM requires outbound firewall access on TCP port 443 to https://appconfig.cdn.mobileiron.com/com.example.OneTouchConfiguration/current/appconfig.xml for the Managed App Configuration UI to render properly.

Table 11.  Additional outbound access links

Purpose

Host connection

Android Help@Work

https://webapi.teamviewer.com/api/v1/

Appthority https://api.appthority.com/applications/bulk_query

Azure active directory

https://graph.windows.net/%s/devices/deviceId_%s?api-version=1.6

BlueCoat

https://mobility.threatpulse.com:9443

Business Store Portal (BSP) https://onestore.microsoft.com

Business Store Portal (BSP)

https://bspmts.mp.microsoft.com/V1

For the Find My Phone mapping and other options https://api.mqcdn.com/sdk/mapquest-js/v1.0.0/mapquest.css

GlobalSign

https://system.globalsign.com/cr/ws/GasOrderService

iOS Managed AppConfig community

https://appconfig.cdn.mobileiron.com

Microsoft Graph

https://login.microsoftonline.com/{tenant_id}/oauth2/authorize

Samsung E-FOTA

https://eu-api.samsungknox.com

SymantecManagedPKI pki-ws.symauth.com

Windows device attestation

https://has.spserv.microsoft.com/HealthAttestation/ValidateHealthCertificate/v1