On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector 11.4.0.0 - 11.12.0.0

Preparing for Android Enterprise device support

This section describes the minimum network requirements for Android Enterprise devices. Android devices generally do not require you to open inbound ports on the firewall in order to function correctly. However, there are a number of outbound connections that administrators need to be aware of when setting up their network environments for Android Enterprise devices.

The list of network changes provided in the following table is not exhaustive and may change. It covers known endpoints for current and past versions of enterprise management APIs and GMS apps.

In addition to the ports listed in the following table, Android Enterprise devices require access to Ivanti EPMM.

The following table lists the requirements for Android Enterprise devices.

**Table 12.** Requirements for Android Enterprise devices
Destination Host	Ports	Purpose
play.google.com android.com google-analytics.com googleusercontent.com gstatic.com .gvt1.com ggpht.com dl.google.com android.clients.google.com	TCP/443 TCP, UDP/5228-5230	Google Play and updates (APKs, app logos, etc.) gstatic.com, googleusercontent.com -- contains User Generated Content (for example, app icons in the store) .gvt1.com, .ggpht, dl.google.com,android.clients.google.com --Download apps and updates, PlayStore APIs
*googleapis.com	TCP/443	Ivanti EPMM Unified Endpoint Management (UEM)/Google APIs/PlayStore APIs
accounts.google.com	TCP/443	Authentication
gcm-http.googleapis.com gcm-xmpp.googleapis.com android.googleapis.com	TCP/443, 5228-5230, 5235, 5236	Google Cloud Messaging (for example, UEM Console <-> DPC communication, like pushing configs)
fcm.googleapis.com fcm-xmpp.googleapis.com	TCP/443, 5228-5230	Firebase Cloud Messaging (for example, Find My Device, UEM Console <-> DPC communication, like pushing configs)
pki.google.com clients1.google.com	TCP/443	Certificate Revocation
clients[2...6].google.com	TCP/443	Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others

Google does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169 listed here https://bgp.he.net/AS15169#_prefixes.

Note that IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See peering.google.com for more information about Google’s Edge Network.

See External and Internet rules for firewall rules required for external and internet access for Ivanti EPMM appliances and Ivanti Sentry appliances.