Product Documentation

Preparing for Device Manager Installation

Dec 21, 2015

There are four prerequisite requirements that must be prepared prior to installation of Device Manger server. Each prerequisite has subset of requirements that belong to the providing service and the infrastructure groups responsible for implementation and change control. A successful installation requires all prerequisites are met.

Obtaining an APNS certificate from Apple for iOS Devices

Management of Apple iOS devices by using the native MDM capabilities of the mobile device hardware and operating system requires an APNS certificate to communicate via Apple Push Network Services. In order to obtain a certificate from Apple, follow the steps outlined in the APNS Certificate Request Guide.

Designating a DMZ IP Address and DNS Host Name

The Device Manager server is designed to be an edge gateway server that resides in the network DMZ. Device Manager requires a static IP address that can be reached from the nternet, as well as a registered and published DNS host name so that devices can reach the server during enrollment and communicate with regularly. It is strongly recommended to use a separate A-record or CNAME record for any host living in a DMZ for anonymity of the true server host name.

Opening Ports in the Firewall

There are many inbound and outbound ports that must be configured on the network between the Internet and the DMZ, and from the DMZ to your secure network.

The followoing table is designed to provide a guide for the TCP/IP port requirements for the Device Manager server and mobile device agent connections.

Port Description Source Destination
25 By default, the Device Manager SMTP configuration of the Notification Service uses port 25. However, if your SMTP server uses a different port, make sure that your firewall does not block that port. Device Manager Server SMTP Server
443 Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile) Internet Device Manager Server
Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile), Device Manager management console, Device Manager Remote Support Client Secure network and WiFi
Device Manager server enterprise connection to Apple iTunes App Store (ax.itunes.apple.com). Used for publishing recommended iTunes App Store apps from the available iOS applications within the Device Manager management console and the iOS Agent. Apple network
443 Device Manager Nexmo SMS Notification Relay outbound connection. Device Manager Server Nexmo SMS Relay server
389 or 636 LDAP/LDAPS connection from Device Manager server to Directory Service Host (Active Directory Global Catalog server or equivalent LDAP directory service host) Device Manager Server LDAP or Active Directory Services
443 SSL OTA Enrollment or Agent Setup (Android and Windows Mobile), All device-related traffic and data connections (iOS, Android, and Windows Mobile). Internet Device Manager Server
SSL OTA Enrollment or Agent Setup (Android and Windows Mobile), All device-related traffic and data connections (iOS, Android and Windows Mobile), Device Manager management console. Secure network and WiFi
Device WiFi to 'discovery.mdm.zenprise.com' on port 443 for autodiscovery enrollment. Autodiscovery 'discovery.mdm.zenprise.com'
1433 Remote database server connection to separate SQL Server (Optional). Device Manager Server SQL Server
2195 Apple APNS (Push Notification Service) outbound connection to gateway.push.apple.com, used for iOS device notifications and device policy push. Device Manager Server Internet (Apple APNS Service Hosts on public IP network 17.0.0.0/8)
2196 Apple APNS (Push Notification Service) outbound connection to feedback.push.apple.com, used for iOS device notifications and device policy push
5223 Apple APNS (Push Notification Service) outbound connection from iOS devices connected via Wi-Fi network to *.push.apple.com iOS device on WiFi network service
8443 Over-the-Air (OTA) Enrollment for iOS Devices only Internet, secure network, or WiFi Device Manager Server
App Tunnel Ports Mobile App Tunnel Ports (Android and Windows Mobile) to the destination internal Application Server through Device Manager. All ports are individually defined for each mobile app tunnel used by a device through a Device Manager Device Configuration Policy. Internet Application Server through Device Manager Server

When using Remote Support or the Mobile App tunnel (Android and Windows Mobile), the following traffic needs to be open at the firewall:

Port Description Source Destination
8081 Remote Support Console default server inbound connection (depending on the Remote Support Tunnel definition) Remote Support Console Device Manager Server
80 or 443 Remote Support Console access to Device Manager to retrieve device list. (Port 443 recommended.) Remote Support Console Device Manager Server
Tunnel port Mobile Application Tunnel access to Application Server (port configured in the tunnel definition) Device Manager Server Internal Application Server