Required firewall ports and IP Ranges

Firewall ports:
To ensure ZuluDesk can communicate properly with the devices you’re managing, make sure the following ports are allowed in your Firewall.
  • TCP 5223 (APNS)
  • TCP 443 (HTTPS)
If you choose to use LDAP(S) for authentication, make sure the following ports are also allowed.
  • TCP 389 (LDAP)
  • TCP 636 (LDAP over SSL)

Scripting:

For scripting to work properly please also whitelist the following port and address:

  • Port: 443
  • Address: api.zuludesk.com

Whitelist IP’s:

  • The Apple Push notification servers use load balancing. Your devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it’s best to allow this range in your firewall settings.
  • The ZuluDesk macOS clients uses an custom push server for delivering commands.
  • Authentication requests to your LDAP server may come from the following IP addresses:
    • 94.130.139.182
    • 94.130.139.190
    • 94.130.139.187
    • 94.130.243.182 (NEW!)
    • 94.130.139.188
    • 212.178.82.42
    • 94.130.10.180 (beta)
  • All MDM requests will go through CloudFlare. This is a list of the definitive source of Cloudflare’s current IP ranges:
    • 103.21.244.0/22
    • 103.22.200.0/22
    • 103.31.4.0/22
    • 104.16.0.0/12
    • 108.162.192.0/18
    • 131.0.72.0/22
    • 141.101.64.0/18
    • 162.158.0.0/15
    • 172.64.0.0/13
    • 173.245.48.0/20
    • 188.114.96.0/20
    • 190.93.240.0/20
    • 197.234.240.0/22
    • 198.41.128.0/17
    • 199.27.128.0/21
  • macOS packages
    • 46.4.54.150

If you're whitelisting .zuludesk.com please make sure to add a * since we use different addresses for certain things. (*.zuludesk.com)

Also please make sure you haven’t blocked any of the url's below in your web filter to avoid problems with app installations.

Apple software, such as macOS, iOS, and iTunes, uses different ports and servers to connect to various services. iTunes for Windows also installs some processes that run in the background when the software is open.

Apple Ports, Hosts and addresses:

Please keep the following Ports, hosts and addresses also whitelisted for the Apple services:

 

Device setup:

Hosts Ports Protocol OS Description Supports proxies
albert.apple.com 443 TCP iOS, tvOS, and macOS   Yes
captive.apple.com 443, 80 TCP iOS, tvOS, and macOS Internet connectivity validation for networks that use captive portals. Yes
gs.apple.com 443 TCP iOS, tvOS, and macOS   Yes
time-ios.apple.com 123 UDP iOS only Used by devices to set their date and time No
time.apple.com 123 UDP iOS, tvOS, and macOS Used by devices to set their date and time No
time-macos.apple.com 123 UDP macOS only Used by devices to set their date and time

No

 

Device Management:

Network access to the following host might be required for devices enrolled in MDM:

Hosts Ports Protocol OS Description Supports proxies
*.push.apple.com 443, 80, 5223, 2197 TCP iOS, tvOS, and macOS Push notifications Learn more about APNs and proxies.
gdmf.apple.com 443 TCP iOS, tvOS, and macOS MDM server to identify which software updates are available to devices that use managed software updates. Yes
deviceenrollment.apple.com 443 TCP iOS, tvOS, and macOS DEP provisional enrollment.
deviceservices-external.apple.com 443 TCP iOS, tvOS, and macOS  
identity.apple.com 443 TCP iOS, tvOS, and macOS APNs certificate request portal. Yes
iprofiles.apple.com 443 TCP iOS, tvOS, and macOS Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment Yes
mdmenrollment.apple.com 443 TCP iOS, tvOS, and macOS MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts. Yes
vpp.itunes.apple.com 443 TCP iOS, tvOS, and macOS MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device. Yes

 

Software Updates:

macOS, iOS and tvOS:

Hosts Ports Protocol OS Description Supports proxies
appldnld.apple.com 80 TCP iOS only iOS updates No
gg.apple.com 443, 80 TCP macOS only macOS updates Yes
gnf-mdn.apple.com 443 TCP macOS only macOS updates Yes
gnf-mr.apple.com 443 TCP macOS only macOS updates Yes
gs.apple.com 443, 80 TCP macOS only macOS updates Yes
ig.apple.com 443 TCP macOS only macOS updates Yes
mesu.apple.com 443, 80 TCP iOS, tvOS, and macOS Hosts software update catalogs No
ns.itunes.apple.com 443 TCP iOS only   Yes
oscdn.apple.com 443, 80 TCP macOS only macOS Recovery No
osrecovery.apple.com 443, 80 TCP macOS only macOS Recovery No
skl.apple.com 443 TCP macOS only macOS updates
swcdn.apple.com 80 TCP macOS only macOS updates No
swdist.apple.com 443 TCP macOS only macOS updates No
swdownload.apple.com 443, 80 TCP macOS only macOS updates Yes
swpost.apple.com 80 TCP macOS only macOS updates Yes
swscan.apple.com 443 TCP macOS only macOS updates No
updates-http.cdn-apple.com 80 TCP iOS, tvOS, and macOS   No
updates.cdn-apple.com 443 TCP iOS, tvOS, and macOS   No
xp.apple.com 443 TCP iOS, tvOS, and macOS   Yes

 

App Store:

Hosts Ports Protocol OS Description Supports proxies
*.itunes.apple.com 443, 80 TCP iOS, tvOS, and macOS Store content such as apps, books, and music Yes
*.apps.apple.com 443 TCP iOS, tvOS, and macOS Store content such as apps, books, and music Yes
*.mzstatic.com 443 TCP iOS, tvOS, and macOS Store content such as apps, books, and music
itunes.apple.com 443, 80 TCP iOS, tvOS, and macOS   Yes
ppq.apple.com 443 TCP iOS, tvOS, and macOS Enterprise App validation

 

Content Caching:

Hosts Ports Protocol OS Description Supports proxies
lcdn-registration.apple.com 443 TCP macOS only Content caching server registration Yes

 

App Notarization:

Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow:

Hosts Ports Protocol OS Description Supports proxies
17.248.128.0/18 443 TCP macOS only Ticket delivery
17.250.64.0/18 443 TCP macOS only Ticket delivery
17.248.192.0/19 443 TCP macOS only Ticket delivery

 

Certificate validation:

Apple devices must be able to connect to the following hosts to validate digital cerficates used by the hosts listed above:

Hosts Ports Protocol OS Description Supports proxies
crl.apple.com 80 TCP iOS, tvOS, and macOS Certificate validation
crl.entrust.net 80 TCP iOS, tvOS, and macOS Certificate validation
crl3.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
crl4.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.apple.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.entrust.net 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.verisign.net 80 TCP iOS, tvOS, and macOS Certificate validation

Firewalls:

If your firewall supports using hostnames, you may be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.

The following references provide detailed information on the network requirements for Apple products:

Have more questions? Submit a request

0 Comments

Article is closed for comments.