Additional firewall rules

The following table outlines additional firewall rules from the internal corporate network to the Internet.

  • Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.

  • Ivanti Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.


Table 10.  Additional firewall rules




iOS Features

For Apple Activation Lock support, open HTTPS 443 to:

For Apple DEP support, open HTTPS 443 to:

These ports are not required if not using iOS MDM.


iOS (Wi‑Fi Only) Devices

Open TCP 5223 to open and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.

For devices on closed networks:

  • Current file-size limit for downloading apps over the cellular network.
  • Status of the distribution certificate used to sign the provisioning profile.

TCP 5223

Android devices

To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.

For Android Enterprise:


For Help@Work for Android and iOS: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).

TCP 5228
TCP 5229
TCP 5230

Ivanti Docs@Work License Server

Open HTTPS 443 to the following URLs to allow access to the Ivanti Docs@Work license server:


Note: This section only applies to corporate fire-wall rules. It does apply to Ivanti EPMM connections.


AppConfig Community Repository

Open port 443 (HTTPS) to the following URLs to allow access to the Ivanti Docs@Work license server:

  • (Appthority)
    (for the find my phone mapping and other options)
  • (SymantecManagedPKI)
  • (BusinessStorePortal(BSP))
  • (BusinessStorePortal(BSP))
  • (BlueCoat)
  • (Samsung E-FOTA)
    ValidateHealthCertificate/v1 (Windows device attestation)


AppConfig Community Repository outbound firewall port setting

Ivanti EPMM requires outbound firewall access on TCP port 443 to for the Managed App Configuration UI to render properly.

Table 11.  Additional outbound access links


Host connection

Android Help@Work


Azure active directory


Business Store Portal (BSP)

Business Store Portal (BSP)

For the Find My Phone mapping and other options


iOS Managed AppConfig community

Microsoft Graph{tenant_id}/oauth2/authorize

Samsung E-FOTA


Windows device attestation