Additional firewall rules
The following table outlines additional firewall rules from the internal corporate network to the Internet.
-
Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.
-
Ivanti Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.
Requirement |
Description |
Port |
iOS Features |
For Apple Activation Lock support, open HTTPS 443 to: https://deviceservices-external.apple.com. For Apple DEP support, open HTTPS 443 to: These ports are not required if not using iOS MDM. |
HTTPS 443 |
iOS (Wi‑Fi Only) Devices |
Open TCP 5223 to open 17.0.0.0/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required. For devices on closed networks:
|
TCP 5223 |
Android devices |
To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well. For Android Enterprise:
For Help@Work for Android and iOS: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections). |
TCP 5228 |
Ivanti Docs@Work License Server |
Open HTTPS 443 to the following URLs to allow access to the Ivanti Docs@Work license server:
Note: This section only applies to corporate fire-wall rules. It does apply to Ivanti EPMM connections. |
HTTPS 443 |
AppConfig Community Repository |
Open port 443 (HTTPS) to the following URLs to allow access to the Ivanti Docs@Work license server:
|
HTTPS 443 |
AppConfig Community Repository outbound firewall port setting
Ivanti EPMM requires outbound firewall access on TCP port 443 to https://appconfig.cdn.mobileiron.com/com.example.OneTouchConfiguration/current/appconfig.xml for the Managed App Configuration UI to render properly.
Purpose |
Host connection |
---|---|
Android Help@Work |
|
Appthority | https://api.appthority.com/applications/bulk_query |
Azure active directory |
https://graph.windows.net/%s/devices/deviceId_%s?api-version=1.6 |
BlueCoat |
|
Business Store Portal (BSP) | https://onestore.microsoft.com |
Business Store Portal (BSP) |
|
For the Find My Phone mapping and other options | https://api.mqcdn.com/sdk/mapquest-js/v1.0.0/mapquest.css |
GlobalSign |
|
iOS Managed AppConfig community |
|
Microsoft Graph |
https://login.microsoftonline.com/{tenant_id}/oauth2/authorize |
Samsung E-FOTA |
|
SymantecManagedPKI | pki-ws.symauth.com |
Windows device attestation |
https://has.spserv.microsoft.com/HealthAttestation/ValidateHealthCertificate/v1 |
- For firewall rules required for the internal corporate network, see Internal corporate network rules.
- For firewall rules required for Internal rules/outside rules, see External and Internet rules.