End-user devices must be able to reach certain endpoints for access to apps and services. The Network Requirements for Android is a list of known endpoints for current and past versions of enterprise management APIs.

To reach all the endpoints successfully, a direct connection is required. If the devices are connected behind a proxy, the direct communication is not possible and certain functions fail.
Note: AOSP/Closed Network enrollment does not require that devices have access to these endpoints.
Table 1. Firewall Rules for Devices
Destination Host Ports Purpose
play.google.com,android.com,google-analytics.com,googleusercontent.com,*gstatic.com,*gvt1.com*,*ggpht.com,dl.google.com,dl-ssl.google.com, android.clients.google.com*,gvt2.com,*gvt3.com TCP/443TCP

UDP/5228-5230

Google Play and updates

gstatic.com,

googleusercontent.com - contains User Generated Content (e.g. appicons in the store)

*gvt1.com, *.ggpht, dl.google.com,dl-ssl.google.com,android.clients.google.com -Download apps and updates, PlayStore APIs, gvt2.com and gvt3.com are usedfor Play connectivity monitoring fordiagnostics.
*.googleapis.com TCP/443 EMM/Google APIs/PlayStore APIs
accounts.google.com, accounts.google.[country] TCP/443 Authentication For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.
fcm.googleapis.com, fcm-xmpp.googleapis.com TCP/443,5228-5230 Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs)
pki.google.com, clients1.google.com TCP/443 Certificate Revocation list checks for Google-issued certificates
clients2.google.com, clients3.google.com. clients4.google.com, clients5.google.com, clients6.google.com TCP/443 Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others
omahaproxy.appspot.com TCP/443 Chrome updates
android.clients.google.com TCP/443 CloudDPC download URL used in NFC provisioning
connectivitycheck.android.com www.google.com TCP/443 Connectivity check prior to CloudDPC v470 Android connectivity check starting with N MR1 requires https://www.google.com/generate _204 to be reachable, or for the given WiFi network to point to a reachable PAC file.

Firewall Rules for Consoles

If an EMM console is located on-premise, the destinations below need to be reachable from the network in order to create a Managed Google Play Enterprise and to access the ​Managed Google Play iFrame​.

This list is not exhaustive and is subject to change.

Destination Host Ports Purpose
play.google.com, www.google.com TCP/443 Google Play Store Play Enterprise re-enroll
fonts.googleapis.com*, .gstatic.com TCP/443 iFrame JS, Google fonts, User Generated Content (e.g. appicons in the store)
accounts.youtube.com, accounts.google.com, accounts.google.com.* TCP/443 Account Authentication, Country-specific account authdomains
apis.google.com, ajax.googleapis.com TCP/443 GCM, other Google web services, and iFrame JS
clients1.google.com, payments.google.com, google.com TCP/443 App approval
ogs.google.com TCP/443 iFrame UI elements
notifications.google.com TCP/443 Desktop/Mobile Notifications