- Preparing for Device Manager Installation
- Device Manager Remote Support Requirements
There are four prerequisite requirements that must be prepared prior to installation of Device Manger server. Each prerequisite has subset of requirements that belong to the providing service and the infrastructure groups responsible for implementation and change control. A successful installation requires all prerequisites are met.
Management of Apple iOS devices by using the native MDM capabilities of the mobile device hardware and operating system requires an APNS certificate to communicate via Apple Push Network Services. In order to obtain a certificate from Apple, follow the steps outlined in the APNS Certificate Request Guide.
The Device Manager server is designed to be an edge gateway server that resides in the network DMZ. Device Manager requires a static IP address that can be reached from the nternet, as well as a registered and published DNS host name so that devices can reach the server during enrollment and communicate with regularly. It is strongly recommended to use a separate A-record or CNAME record for any host living in a DMZ for anonymity of the true server host name.
There are many inbound and outbound ports that must be configured on the network between the Internet and the DMZ, and from the DMZ to your secure network.
The followoing table is designed to provide a guide for the TCP/IP port requirements for the Device Manager server and mobile device agent connections.
|25||By default, the Device Manager SMTP configuration of the Notification Service uses port 25. However, if your SMTP server uses a different port, make sure that your firewall does not block that port.||Device Manager Server||SMTP Server|
|443||Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile)||Internet||Device Manager Server|
|Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile), Device Manager management console, Device Manager Remote Support Client||Secure network and WiFi|
|Device Manager server enterprise connection to Apple iTunes App Store (ax.itunes.apple.com). Used for publishing recommended iTunes App Store apps from the available iOS applications within the Device Manager management console and the iOS Agent.||Apple network|
|443||Device Manager Nexmo SMS Notification Relay outbound connection.||Device Manager Server||Nexmo SMS Relay server|
|389 or 636||LDAP/LDAPS connection from Device Manager server to Directory Service Host (Active Directory Global Catalog server or equivalent LDAP directory service host)||Device Manager Server||LDAP or Active Directory Services|
|443||SSL OTA Enrollment or Agent Setup (Android and Windows Mobile), All device-related traffic and data connections (iOS, Android, and Windows Mobile).||Internet||Device Manager Server|
|SSL OTA Enrollment or Agent Setup (Android and Windows Mobile), All device-related traffic and data connections (iOS, Android and Windows Mobile), Device Manager management console.||Secure network and WiFi|
|Device WiFi to 'discovery.mdm.zenprise.com' on port 443 for autodiscovery enrollment.||Autodiscovery||'discovery.mdm.zenprise.com'|
|1433||Remote database server connection to separate SQL Server (Optional).||Device Manager Server||SQL Server|
|2195||Apple APNS (Push Notification Service) outbound connection to gateway.push.apple.com, used for iOS device notifications and device policy push.||Device Manager Server||Internet (Apple APNS Service Hosts on public IP network 220.127.116.11/8)|
|2196||Apple APNS (Push Notification Service) outbound connection to feedback.push.apple.com, used for iOS device notifications and device policy push|
|5223||Apple APNS (Push Notification Service) outbound connection from iOS devices connected via Wi-Fi network to *.push.apple.com||iOS device on WiFi network service|
|8443||Over-the-Air (OTA) Enrollment for iOS Devices only||Internet, secure network, or WiFi||Device Manager Server|
|App Tunnel Ports||Mobile App Tunnel Ports (Android and Windows Mobile) to the destination internal Application Server through Device Manager. All ports are individually defined for each mobile app tunnel used by a device through a Device Manager Device Configuration Policy.||Internet||Application Server through Device Manager Server|
When using Remote Support or the Mobile App tunnel (Android and Windows Mobile), the following traffic needs to be open at the firewall:
|8081||Remote Support Console default server inbound connection (depending on the Remote Support Tunnel definition)||Remote Support Console||Device Manager Server|
|80 or 443||Remote Support Console access to Device Manager to retrieve device list. (Port 443 recommended.)||Remote Support Console||Device Manager Server|
|Tunnel port||Mobile Application Tunnel access to Application Server (port configured in the tunnel definition)||Device Manager Server||Internal Application Server|