3

I have an MDM with Profile Manager configured targeting iOS and OSX clients.
Everything works fine in my home network. Now, I would like to apply this in my company.

From Apple Support website:

Port 2195, 2196 - TCP - Used by Profile Manager to send push notifications
Port 5223 - TCP - Used to maintain a persistent connection to APNs and receive push notifications
Port 80/443 - TCP - Used by Profile Manager to send push notifications
Port 1640 - TCP - Enrollment access to the Certificate Authority

Due to security reasons, I have to specify, which of those ports are used to receive data and which of those are used to send data (or both). Anyone could provide me with this information?

wottle
  • 13,095
  • 4
  • 27
  • 68
Fengson
  • 4,751
  • 8
  • 37
  • 62

1 Answers1

3

If my memory is correct...

  • 2195, 2196: outbound from your MDM to Apple
  • 5223: outbound from your MDM to Apple and outbound/inbound from your client device to Apple
  • 80/443: outbound from your MDM to Apple and your client device, outbound/inbound on your client device to your MDM (assuming your MDM is operating on those ports)
  • 1640: I'm not familiar with this one. I'd have to assume it's outbound from your client device to your CA.

Have you tried monitoring your traffic at both your MDM and iOS devices to determine the originating flow of the ports? Apple will often say "just open up ports XX:YY and you're good" which obviously doesn't translate to reality.

Dan
  • 5,153
  • 4
  • 31
  • 42
  • Great! Just one question: how can I perform monitoring test? – Fengson May 05 '15 at 13:05
  • Based on your technical restrictions I'm assuming you're behind some sort of corporate firewall. Whoever manages that equipment should be able to sniff the packets at your MDM service as well as on your wireless gear your iOS devices connect to. Another option for the iOS devices is setting up Burp Proxy on your PC/Mac and throw your iOS device on there. – Dan May 05 '15 at 13:08
  • I don't believe Apple originates any conversations from APNs to the MDM. If your MDM reaches out to APNs the response would be on the same port. Typically a firewall rule defines port access based on the originating request port. Have you spoken with your IT folks yet about all of this? – Dan May 05 '15 at 13:15