Preparing for Android Enterprise device support

This section describes the minimum network requirements for Android Enterprise devices. Android devices generally do not require you to open inbound ports on the firewall in order to function correctly. However, there are a number of outbound connections that administrators need to be aware of when setting up their network environments for Android Enterprise devices.

The list of network changes provided in the following table is not exhaustive and may change. It covers known endpoints for current and past versions of enterprise management APIs and GMS apps.

In addition to the ports listed in the following table, Android Enterprise devices require access to Ivanti EPMM.

The following table lists the requirements for Android Enterprise devices.

Table 12.   Requirements for Android Enterprise devices

Destination Host

Ports

Purpose

play.google.com

android.com

google-analytics.com

googleusercontent.com

gstatic.com

*.gvt1.com

*ggpht.com

dl.google.com

android.clients.google.com

TCP/443

TCP, UDP/5228-5230

Google Play and updates (APKs, app logos, etc.)

 

 

gstatic.com, googleusercontent.com -- contains User Generated Content (for example, app icons in the store)

*.gvt1.com, *.ggpht, dl.google.com,android.clients.google.com --Download apps and updates, PlayStore APIs

*googleapis.com

TCP/443

Ivanti EPMM Unified Endpoint Management (UEM)/Google APIs/PlayStore APIs

accounts.google.com

TCP/443

Authentication

gcm-http.googleapis.com

gcm-xmpp.googleapis.com

android.googleapis.com

TCP/443, 5228-5230,

5235, 5236

Google Cloud Messaging (for example, UEM Console <-> DPC communication, like pushing configs)

fcm.googleapis.com

fcm-xmpp.googleapis.com

TCP/443, 5228-5230

Firebase Cloud Messaging (for example, Find My Device, UEM Console <-> DPC communication, like pushing configs)

pki.google.com

clients1.google.com

TCP/443

Certificate Revocation

clients[2...6].google.com

TCP/443

Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others

Google does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169 listed here https://bgp.he.net/AS15169#_prefixes.

Note that IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See peering.google.com for more information about Google’s Edge Network.

See External and Internet rules for firewall rules required for external and internet access for Ivanti EPMM appliances and Ivanti Sentry appliances.