Posted on 17th May 2017 by Hugo Costa

Configuring Proxies and Firewalls for Apple MDM access

DeviceManagment

Recently I’ve been looking into configuration for firewalls and proxy in order to get MDM servers working properly. Its been rumoured for a while that Apple has been using third party servers to do some of its validation and content hosting.

Opening your network to the 17 Class A range used to fix all issues, but now that might not be the case.

So far this is the information we’ve found about the servers and ports used by Apple and other MDM solutions:

Firewall setup

Ports that need opening on the firewall to the 17 Class A range (17.0.0.0/8)

  • TCP port 5223 for communication with the APNsM
  • TCP port 443 as a failover access to the APNs if 5223 can’t be accessed

Ports that need opening for MDM access

  • TCP port 2195: sending messages to the APNs
  • TCP port 2196: connection to the APNs for feedbacks

Proxy setup

For Activation

  • albert.apple.com

Validations

  • ppq.apple.com – for corporate apps
  • ocsp.apple.com and ocsp.verisign.net – for certificates
  • evintl-ocsp.verisign.com and evsecure-ocsp.verisign.com – certificates and authentications during device restore and activation

Content download

  • *.phobos.apple.com – iTunes content
  • deimos * .apple.com – iTunes U content
  • *.aaplimg.com – Apple Content Delivery Network
  • *.akamaiedge.net and * .akamaitechnologies.com – content delivery network
  • *.edgesuite.net and * .llnwd.net – content delivery network (cache)
  • *.mzstatic.com – illustrations of the blinds (covers, extracts, icons …)

Updates

  • appldnld.apple.com – firmware iOS
    ax.itunes.apple.com – searches
    gs.apple.com – iOS Signature Validation
    mesu.apple.com – iOS updates
    su.itunes.apple.com – app updates

iCloud:

  • *.icloud.com

iTunes:

  • itunes.apple.com – iTunes Services
  • buy.itunes.com – validation of credit cards and accounts – metrics.apple.com: statistics

Push:

  • gateway.push.apple.com – sending notification to the APNs
  • feedback.push.apple.com – send feedback to the APNs
  • *-courier.push.apple.com – APNs for all iOS push notifications

We found this information from a variety of sources including: Apple iOS Deployment documentation, a very interesting document found on the web by Antoine Moussy @ Academie Versailles and also from the traffic on our firewall.

If your trying to setup an MDM solution, Amsys has created a nice iOS app that can help you test the connections to your server and Apple’s servers – https://itunes.apple.com/gb/app/services-test/id663823983?mt=8