Firebase Cloud Messaging

Alternative to the Active poll period policy, you can use Firebase Cloud Messaging (FCM) to control how and when Android devices connect to Endpoint Management. By using the following configuration, any security action or deploy command triggers a push notification to prompt the user to reconnect to the Endpoint Management server.

Firebase Cloud Messaging (FCM) was previously known as Google Cloud Messaging (GCM). Some Endpoint Management console labels and messages refer to GCM.

Prerequisites

  • Latest Secure Hub client
  • Google developer account credentials

Firewall ports

  • Open port 443 on Endpoint Management to Android.apis.google.com and Google.com.
  • Open ports 5228, 5229, and 5230 for incoming messages.
  • To allow outgoing connections, FCM recommends whitelisting ports 5228 through 5230 with no IP restrictions. However, if you require IP restrictions, FCM recommends whitelisting all the IP addresses in the IPv4 and IPv6 blocks listed in Google’s ASN of 15169 and updating this list monthly.

Architecture

This diagram shows the communication flow for FCM in the external and internal network.

Image of the FCM architecture

To configure your Google account for FCM

  1. Sign in to the following URL using your Google developer account credentials:

    https://console.firebase.google.com/?pli=1

  2. Click Create a project.

    Image of the Create a project option

  3. Type a Project name and then click Create Project.

    Image of the Create Project option

  4. Click the gear icon next to your project name in the top left and then click Project Settings.

    Image of the Project Settings option

  5. Select the Cloud Messaging tab. You can find your sender ID and Server Key on this page. Copy these values because you must provide them in the Endpoint Management console. It is important to note that any Server Keys created after September 2016 must be created in the Firebase console.

    Image of the Cloud Messaging tab

To configure Endpoint Management for FCM

In the Endpoint Management console, go to Settings > Google Cloud Messaging.

  • Edit GCM API key, and type the Firebase Cloud Messaging API key that you copied in the last step of Firebase Cloud Messaging configuration.

  • Edit GCM Sender ID, and type the Sender ID value you noted in the previous procedure.

Image of the Sender ID value entry

To test your configuration

As a prerequisite to test your FCM configuration, do not have a Scheduling policy configured. Alternatively, do not set the policy to Always Connect. For more information about configuring the Scheduling policy, see Scheduling device policy.

  1. Enroll an Android device.

  2. Leave the device idle for some time, so that it disconnects from Endpoint Management.

  3. Sign in to the Endpoint Management console, click Manage, select the Android device and then click Secure.

    Image of the Secure Android device option

  4. Under Device Actions, click Selective Wipe.

    Image of the Selective Wipe option

In a successful configuration, selective wipe occurs on the device.