Firewall ports needed for Apple devices, including APN

Follow

For Apple devices to work properly with Securly MDM, devices need to be able to Communicate with Securly Device Console and receive Apple Push Notifications (APN)

 

Securly MDM Communication

To allow communication with Securly MDM please allow traffic to and from the following IP addresses on ports 80 and 443:

54.164.36.33 

52.73.26.101 

54.165.240.169 (needed for device enrollment)

18.205.10.56 (needed for device enrollment)

Apple Push Notifications

If Apple devices don't seem to be communicating with MDM when issuing MDM commands, it could be because they are not receiving Apple Push Notifications due to your firewall.  You may need to unblock certain ports for APN to work.  You can find details in this Apple KB article: https://support.apple.com/en-us/HT210060

Apple DEP Enrollment

DEP Enrollment needs IP resolution for mdmenrollment.apple.com. In order to make sure there are no connectivity issues to mdmenrollment.apple.com, please verify connectivity to the below IP ranges in addition to the current ACLs:

 17.248.128.0/17

17.248.192.0/19

2620:149:a40::/46

2a01:b740:a41::/48

2403:300:a41::/48

2403:300:a50::/48

Intruder Detection:  Some Firewalls provide intruder detection systems or IDS.  This looks for patterns of traffic that might indicate an attack and can temporarily shut down communication with the suspected offending IP address for a given number of minutes before clearing the alert.  This can explain situations where things seem to be working fine, then devices suddenly stop communicating or receiving commands from MDM for some length of time, like an hour, before working again.  It's possible that your system would see a flood of push notifications to your devices as a threat and trigger as a false positive pattern, thinking it's an attempted attack.  You may want to temporarily disable intruder detection when troubleshooting these types of issues.

Troubleshooting Tip #1 - Try another network: If devices are not communicating properly, one of the best first steps in troubleshooting is to determine if it's related to your network by taking a couple of devices OUTSIDE of your network and putting them on a mobile hotspot, phone tether, or home network.  If the devices work properly in that environment, then you know you need to work on your network's firewall or filtering.  This is one of the first things a Securly support technician will ask you to verify when troubleshooting issues that might be related to connectivity.

Troubleshooting Tip #2 - Feature disable: Temporarily disable different types of filtering offered by your firewall until you find which one is detecting something that it doesn’t like.  For example, your firewall might have intruder alert detection of various types or different types of filtering and blocking. Turn off just one at a time.  Once you find the one that’s the problem, you may be able to configure it to skip checking for just our URL or IP address only so that you don’t have to leave the feature off completely.

Other:

Barracuda Firewalls: Try using "IP Bypass" for the sites and ports above

Sonicwall Firewalls:  Look for "CFS exclusion" under Security Services

Have more questions? Submit a request

Comments