The Workspace ONE UEM console and Device Services servers must communicate with several internal and external endpoints for functionality. End-user devices must also reach certain endpoints for access to applications and services. Learn more about how to ensure your network meets the Workspace ONE UEM requirements.

For the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. Workspace ONE UEM supports IPv6 protocol for all ports and components.

Console Server Ports

Source Component

Destination Component

Protocol

Port

Notes

UEM console Hostname

discovery.awmdm.com

HTTPS

443

Optional, for AutoDiscovery

UEM console Hostname signing.awmdm.com HTTPS 443 Mandatory for Workspace ONE Baselines. Optional, for AutoDiscovery

UEM console Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate. Proxy Connections not supported.

UEM console Hostname gem.awmdm.com HTTPS 443 Workspace ONE UEM Analytics in myAirWatch

UEM console Hostname

appwrap04.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud iOS App Wrapping Service

UEM console Hostname

gateway.push.apple.com(17.0.0.0/8)

TCP

2195

Apple iOS and macOS only

UEM console Hostname

feedback.push.apple.com(17.0.0.0/8)

TCP

2196

Apple iOS and macOS only

UEM console Hostname appwrapandroid.awmdm.com HTTPS 443 Workspace ONE UEM Cloud Android App Wrapping Service
UEM console Hostname appwrapandroid.awmdm.com TCP 443 Android only
UEM console Hostname fcm.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.
UEM console Hostname fcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; DPC Communication

UEM console Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

UEM console hostname *gvt2.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
UEM console hostname *gvt3.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
UEM console hostname cri.pki.goog CRL 443, 80 certificate validation
UEM console hostname ocsp.pki.goog CRL 443, 80 certificate validation
UEM console Hostname pki.google.com TCP 443 Android only. Certificate revocation.
UEM console Hostname clients1.google.com TCP 443 Android only. Google backend services.
UEM console Hostname clients2.google.com TCP 443 Android only. Google backend services.
UEM console Hostname clients3.google.com TCP 443 Android only. Google backend services.
UEM console Hostname clients4.google.com TCP 443 Android only. Google backend services.
UEM console Hostname clients5.google.com TCP 443 Android only. Google backend services.
UEM console Hostname clients6.google.com TCP 443 Android only. Google backend services.
UEM console Hostname android.com TCP

TCP, UDP

443

5228-5230

Android only
UEM console Hostname *.googleapis.com TCP 443 Android only. Google APIs, Play Store APIs.
UEM console Hostname accounts.google.com TCP 443 Android only. Authentication.

UEM console Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

UEM console Hostname android.clients.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
UEM console Hostname fonts.googleapis.com HTTP/HTTPS 80 or 443 For fonts used in the UEM console
UEM console Hostname google-analytics.com TCP

TCP, UDP

443

5228-5230

UEM console Hostname googleusercontent.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
UEM console Hostname gstatic.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
UEM console Hostname *.gvt1.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
UEM console Hostname *.ggpht.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
UEM console Hostname dl.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
UEM console Hostname inference.location.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices

UEM console Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

UEM console Hostname next-services.apps.microsoft.com HTTP/HTTPS 80 or 443 For App Management, Windows 8 /RT only
UEM console Hostname *.windowsphone.com HTTP/HTTPS 80 or 443 For App Management, Windows Phone 8 only
UEM console Hostname login.live.com HTTPS 443 For Cloud Messaging for Windows devices
UEM console Hostname login.windows.net/{TenantName} HTTPS 443 Windows 10 only, where {TenantName} is the domain name of your tenant in Azure
UEM console Hostname graph.windows.net HTTPS 443 Windows 10 only
UEM console Hostname has.spserv.microsoft.com HTTPS 443 Windows 10 only, for health attestation
UEM console Hostname *.virtualearth.net HTTP/HTTPS 80 or 443 For location services Bing Maps integration

UEM console Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple iOS and macOS only

UEM console Hostname mdmenrollment.apple.com TCP 443 Apple iOS, tvOS, and macOS only
UEM Console Hostname api.push.apple.com HTTPS 443 Apple iOS and macOS only

UEM console Hostname

gateway.celltrust.net(162.42.205.0/24)

HTTPS

443

Only requires the use of 443 when using SMS integration

UEM console Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

Optional, if Console is publicly accessible
UEM console Hostname

CRL:

http://crl3.digicert.com/sha2-assured-cs-g1.crl

http://crl4.digicert.com/sha2-assured-cs-g1.crl

HTTP 80 Supports code-signing verification of Workspace ONE UEM code post-installation.

UEM console Hostname

All Workspace ONE UEM Servers

HTTPS

443

 

UEM console Hostname

AWCM server

HTTPS

2001

AWCM may be installed on your Device Services server.

UEM console Hostname

Workspace ONE UEM API server (if standalone) HTTPS 443

Set up network traffic from the Console server to the API server if the API component is not installed on the Console server.

The API component may be installed on your Device Services server.

UEM console Hostname

File Storage (if not set up on Console server) SMB or NFS

Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.

UEM console Hostname

Workspace ONE UEM Database server

SQL

1433

 
UEM console Hostname Exchange Server HTTP/HTTPS 80 or 443 For PowerShell integration, if not using VMware Enterprise Systems Connector

UEM console Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

For LDAP integration

UEM console Hostname

SMTP Mail Relay

SMTP

25 or 465

For SMTP integration

UEM console Hostname

Internal PKI

HTTPS/DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

For PKI integration
UEM console Hostname Memcached TCP 11211 Memcached outbound communications
UEM console Hostname https://gdmf.apple.com/v2/pmv TCP 443 [OPTIONAL] iOS Updates functionality

Console Server Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes
Admin Browser VMware Workspace ONE Access HTTPS 443 Astro APIs
Admin Browser UEM console Hostname HTTPS 443 Console Access
Admin Browser API Server Hostname HTTPS 443 Astro APIs

API Server Ports (if standalone)

Source Component

Destination Component

Protocol

Port

Notes
API Server Hostname Workspace ONE UEM Database server SQL 1433  
API Server Hostname AWCM server HTTPS 2001 If AWCM is hosted on device services, then direct to the Device Services server.
API Server Hostname Active Directory domain controller LDAP(S)

389 or 636 or 3268 or 3269

Only required if you are integrating with Workspace ONE Access without the use of VMware Enterprise Systems Connector.
API Server Hostname vmwarebaselines.com HTTPS 443 AWS-hosted VMware Policy Catalog Service. Mandatory for Workspace ONE Baselines.
API Server Hostname

android.googleapis.com

play.google.com

HTTP/HTTPS 80 or 443 For Cloud Messaging for Android devices.
API Server Hostname appwrapandroid.awmdm.com HTTPS 443 Workspace ONE UEM Cloud Android App Wrapping Service
API Server Hostname appwrapandroid.awmdm.com TCP 443 Android only
API Server Hostname gcm-http.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only
API Server Hostname gcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.
API Server Hostname fcm.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.
API Server Hostname fcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; DPC Communication
API Server Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

API Server Hostname pki.google.com TCP 443 Android only. Certificate revocation.
API Server Hostname clients1.google.com TCP 443 Android only. Google backend services.
API Server Hostname clients2.google.com TCP 443 Android only. Google backend services.
API Server Hostname clients3.google.com TCP 443 Android only. Google backend services.
API Server Hostname clients4.google.com TCP 443 Android only. Google backend services.
API Server Hostname clients5.google.com TCP 443 Android only. Google backend services.
API Server Hostname clients6.google.com TCP 443 Android only. Google backend services.
API Server Hostname android.com TCP

TCP, UDP

443

5228-5230

Android only
API Server Hostname *.googleapis.com TCP 443 Android only. Google APIs, Play Store APIs.
API Server Hostname accounts.google.com TCP 443 Android only. Authentication.

API Server Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

API Server Hostname android.clients.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
API Server Hostname fonts.googleapis.com HTTP/HTTPS 80 or 443 For fonts used in the UEM console
API Server Hostname google-analytics.com TCP

TCP, UDP

443

5228-5230

API Server Hostname googleusercontent.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
API Server Hostname gstatic.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
API Server Hostname *.gvt1.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
API Server Hostname *.ggpht.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
API Server Hostname dl.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
API Server Hostname *gvt2.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
API Server Hostname *gvt3.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
API Server Hostname cri.pki.goog CRL 443, 80 certificate validation
API Server Hostname ocsp.pki.goog CRL 443, 80 certificate validation
API Server Hostname

inference.location.live.net

*notify.live.net

HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices.
API Server Hostname

gateway.push.apple.com(17.0.0.0/8)

feedback.push.apple.com(17.0.0.0/8)

TCP 2195, 2196, 2197 For Apple iOS and macOS cloud messaging. Proxy Connections not supported.
API Server Hostname mdmenrollment.apple.com TCP 443 Apple iOS, tvOS, and macOS only
API Server Hostname api.push.apple.com HTTPS 443 For Apple iOS and macOS cloud messaging. Proxy Connections not supported
API Server Hostname Memcached TCP 11211 Memcached outboung communications

Workspace ONE Access Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes
Workspace ONE Access Service API Server Hostname HTTPS 443 Auth Token Request
API Server Hostname VMware Workspace ONE Access HTTPS 443 Astro APIs

Device Services Server Ports

Source Component

Destination Component

Protocol

Port

Notes

Device Services Hostname

discovery.awmdm.com

HTTPS

443

Optional – For auto discovery functionality

Device Services Hostname signing.awmdm.com HTTPS 443 Optional – For auto discovery functionality

Device Services Hostname

gateway.push.apple.com

TCP

2195

Apple only

Device Services Hostname

feedback.push.apple.com

TCP

2196

Apple only

Device Services Hostname www.google.com HTTPS 443 Google devices running Android 8.0+
Device Services Hostname appwrapandroid.awmdm.com HTTPS 443 Workspace ONE UEM Cloud Android App Wrapping Service
Device Services Hostname appwrapandroid.awmdm.com TCP 443 Android only
Device Services Hostname gcm-http.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only
Device Services Hostname gcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.
Device Services Hostname fcm.googleapis.com TCP 443, 5228-5230 Android only; Firebase Cloud Messaging. Proxy Connections not supported.
Device Services Hostname fcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; DPC Communication
Device Services Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Device Services Hostname pki.google.com TCP 443 Android only. Certificate revocation.
Device Services Hostname clients1.google.com TCP 443 Android only. Google backend services.
Device Services Hostname clients2.google.com TCP 443 Android only. Google backend services.
Device Services Hostname clients3.google.com TCP 443 Android only. Google backend services.
Device Services Hostname clients4.google.com TCP 443 Android only. Google backend services.
Device Services Hostname clients5.google.com TCP 443 Android only. Google backend services.
Device Services Hostname clients6.google.com TCP 443 Android only. Google backend services.
Device Services Hostname android.com TCP

TCP, UDP

443

5228-5230

Android only
Device Services Hostname *.googleapis.com TCP 443 Android only. Google APIs, Play Store APIs.
Device Services Hostname accounts.google.com TCP 443 Android only. Authentication.

Device Services Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

Device Services Hostname android.clients.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
Device Services Hostname fonts.googleapis.com HTTP/HTTPS 80 or 443 For fonts used in the UEM console
Device Services Hostname google-analytics.com TCP

TCP, UDP

443

5228-5230

Device Services Hostname googleusercontent.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
Device Services Hostname gstatic.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).
Device Services Hostname *.gvt1.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
Device Services Hostname *gvt2.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
Device Services Hostname *gvt3.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
Device Services Hostname cri.pki.goog CRL 443, 80 certificate validation
Device Services Hostname ocsp.pki.goog CRL 443, 80 certificate validation
Device Services Hostname *.ggpht.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
Device Services Hostname dl.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Device Services Hostname

android.googleapis.com

HTTP/HTTPS

80 and 443

Android only

Device Services Hostname

play.google.com

HTTPS

443

Android only

Device Services Hostname

android.clients.google.com

TCP

80

Android app management only

Device Services Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate. Proxy Connections not supported.

Device Services Hostname

inference.location.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices

Device Services Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

Device Services Hostname

*.windowsphone.com HTTP 80 For App Management, Windows Phone 8 only
Device Services Hostname next-services.apps.microsoft.com HTTP/HTTPS 80 or 443 For App Management, Windows 8/RT only
Device Services Hostname login.live.com HTTPS 443 For Cloud Messaging for Windows devices
Device Services Hostname login.windows.net/{TenantName} HTTPS 443 Windows 10 only. Where {TenantName} is the domain name of your tenant in Azure.
Device Services Hostname graph.windows.net HTTPS 443 Windows 10 only
Device Services Hostname has.spserv.microsoft.com HTTPS 443 Windows 10 only for health attestation

Device Services Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple only

Device Services Hostname mdmenrollment.apple.com TCP 443 Apple iOS, tvOS, and macOS only
Device Services Hostname api.push.apple.com HTTPS 443 Apple Only

Device Services Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

 

Device Services Hostname

CRL:

http://crl3.digicert.com/sha2-assured-cs-g1.crl

http://crl4.digicert.com/sha2-assured-cs-g1.crl

HTTP 80 Supports code-signing verification of Workspace ONE UEM code post-installation.

Device Services Hostname

All Workspace ONE UEM Servers

HTTPS

443

 

Device Services Hostname

AWCM (if standalone) HTTPS 2001 Set up network traffic from the Device Services server to the AWCM server if the AWCM component is not installed on the Device Services server.

Device Services Hostname

Workspace ONE UEM API server (if standalone) HTTPS 443 Set up network traffic from the Device Services server to the API server if the API component is not installed on the Device Services server.

Device Services Hostname

File Storage (dedicated server or set up on an internal application server) SMB or NFS

Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.

Device Services Hostname

Database Server

SQL

1433

 
Device Services Hostname Exchange Server HTTP/HTTPS 80 or 443 For PowerShell integration, if not using VMware Enterprise Systems Connector

Device Services Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

[OPTIONAL] if you don't use VMware Enterprise Systems Connector

Device Services Hostname

SMTP Mail Relay

SMTP

25 or 465

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

Device Services Hostname

Internal PKI

HTTPS/DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

Device Services Hostname appwrap04.awmdm.com HTTPS 443 AirWatch Cloud iOS App Wrapping Service
Device Services Hostname appwrapandroid.awmdm.com HTTPS 443 AirWatch Cloud Android App Wrapping Service
Device Services Hostname Memcached TCP 11211 Memcached outbound communications

VMware Workspace ONE Access Ports

Source Component

Destination Component

Protocol

Port

Notes
Load Balancer VMware Workspace ONE Access HTTPS 443  
Workspace ONE Accessservice VMware Workspace ONE Access HTTPS 443  
Browsers VMware Workspace ONE Access HTTPS 443  
Workspace ONE Access service vapp-updates.vmware.com HTTPS 443 Access to the upgrade server
Browsers VMware Workspace ONE Access HTTPS 8443 Administrator Port
Workspace ONE Access service SMTP SMTP 25 Port to relay outbound mail
Workspace ONE Access service Active Directory LDAP, LDAPS, MSFT-GC, MSFT-GC-SSL 389, 636, 3268, 3269 Default values are listed. These ports are configurable.
Workspace ONE Access service VMware ThinApp repository TCP 445 Access to the ThinApp repository
Workspace ONE Access service RSA SecurID system UDP 5500 Default value is listed. This port is configurable.
Workspace ONE Access service DNS server TCP/UDP 53 Every Workspace ONE Access server must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.
Workspace ONE Accessservice Domain controller TCP/UDP 88,464,135  
Workspace ONE Access service VMware Workspace ONE Access TCP 9300-9400 Audit needs
Workspace ONE Access service VMware Workspace ONE Access TCP 54328 Audit needs
Workspace ONE Access service Workspace ONE Access Database TCP 1433, 5432, 1521 Microsoft SQL default port is 1433. The PostgreSQL default port is 5432. The Oracle default port is 1521.
Workspace ONE Accessservice View server   443 Access to View server.
Workspace ONE Access service Citrix Integration Broker server TCP 80, 443 Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.
Workspace ONE Accessservice Workspace ONE UEM REST API HTTPS 443 For device compliance checking and for the Enterprise System Connector Workspace ONE UEM Cloud Connector password authentication method, if that is used.
Workspace ONE Access service Cloud-hosted KCD UDP 88 Port used for Kerberos traffic from the Workspace ONE Access to the hosted cloud KDC service.
Adaptiva Server AW Cloud Connector UDP 34320 Port used for Adaptiva SDK library to send and receive messages to/from Adaptiva Server.
iOS mobile device Cloud-hosted KCD UDP 88 Port used for Kerberos traffic from the iOS device to the hosted cloud KDC service.
iOS mobile device VMware Workspace ONE Access TCP/UDP 88 Port used for Kerberos traffic from iOS device to the built-in KDC
iOS mobile device VMware Workspace ONE Access UDP 88 Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.
iOS mobile device VMware Workspace ONE Access HTTPS/TCP 443 Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.
Android mobile device Workspace ONE UEM HTTPS proxy service TCP 5262 Workspace ONE UEM Tunnel client routes traffic to the HTTPS proxy for Android devices.
Browser VMware Workspace ONE Access HTTP 80 Required
Workspace ONE Access service Ehcache   40002  
Workspace ONE Accessservice RabbitMQ  

4269, 5700, and 25672

 
Workspace ONE Accessservice Elasticsearch   9200, 9300, 443, 8443, 80  
Workspace ONE Access service Android SSO   5262  
Workspace ONE Access service Browsers HTTPS 6443 For certificate authentication configured in a Workspace ONE Access on premises DMZ deployment.

VMware Workspace ONE Access Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes
UEM console Hostname VMware Workspace ONE Access HTTPS 443 Astro APIs

End-User Device Ports

Source Component

Destination Component

Protocol

Port

Notes

Devices (Internet/Wi-Fi)

Device Services Hostname

HTTP/HTTPS

80 or 443

Best practice: use HTTPS 443 for additional security.

Devices (Internet/Wi-Fi)

SEG Hostname

HTTPS

443

 

Devices (Internet/Wi-Fi)

VMware Tunnel Hostname

HTTPS

443, 2020

For Browser access

Devices (Internet/Wi-Fi)

courier.push.apple.com(17.0.0.0/8)

TCP

5223 and 443

Apple only. '#' is a random number from 0 to 200.

Devices (Internet/Wi-Fi) *.push.apple.com TCP 443, 80, 5223, 2197 Push notifications
Devices (Internet/Wi-Fi) gdmf.apple.com TCP 443 MDM server to identify which software updates are available to devices that use managed software updates.
Devices (Internet/Wi-Fi) deviceenrollment.apple.com TCP 443 DEP provisional enrollment.
Devices (Internet/Wi-Fi) deviceservices-external.apple.com TCP 443
Devices (Internet/Wi-Fi) identity.apple.com TCP 443 APNs certificate request portal.
Devices (Internet/Wi-Fi) iprofiles.apple.com TCP 443 Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment
Devices (Internet/Wi-Fi) mdmenrollment.apple.com TCP 443 MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts.
Devices (Internet/Wi-Fi) vpp.itunes.apple.com TCP 443 MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device.

Devices (Internet/Wi-Fi)

phobos.apple.com

ocsp.apple.com

ax.itunes.apple.com

HTTP/HTTPS

80 or 443

Apple only

Devices (Internet/Wi-Fi)

mtalk.google.com

TCP

5228

For Cloud Messaging, Android only. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

play.google.com

HTTPS

443

For App Management, Android only

Devices (Internet/Wi-Fi)

appwrapandroid.awmdm.com HTTPS 443 Workspace ONE UEM Cloud Android App Wrapping Service

Devices (Internet/Wi-Fi)

appwrapandroid.awmdm.com TCP 443 Android only

Devices (Internet/Wi-Fi)

gcm-http.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only

Devices (Internet/Wi-Fi)

gcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

fcm.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

fcm-xmpp.googleapis.com TCP 443, 5228-5230, 5235, 5236 Android only; DPC Communication

Devices (Internet/Wi-Fi)

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Devices (Internet/Wi-Fi)

pki.google.com TCP 443 Android only. Certificate revocation.

Devices (Internet/Wi-Fi)

clients1.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients2.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients3.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients4.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients5.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients6.google.com TCP 443 Android only. Google backend services.

Devices (Internet/Wi-Fi)

android.com TCP

TCP, UDP

443

5228-5230

Android only
Devices (Internet/Wi-Fi) www.google.com TCP 443

Devices (Internet/Wi-Fi)

*.googleapis.com TCP 443 Android only. Google APIs, Play Store APIs.

Devices (Internet/Wi-Fi)

accounts.google.com TCP 443 Android only. Authentication.

Devices (Internet/Wi-Fi)

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

Devices (Internet/Wi-Fi)

android.clients.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

fonts.googleapis.com HTTP/HTTPS 80 or 443 For fonts used in the UEM console

Devices (Internet/Wi-Fi)

google-analytics.com TCP

TCP, UDP

443

5228-5230

Devices (Internet/Wi-Fi)

googleusercontent.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Devices (Internet/Wi-Fi)

gstatic.com TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Devices (Internet/Wi-Fi)

*.gvt1.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.
Devices (Internet/Wi-Fi) *gvt2.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
Devices (Internet/Wi-Fi) *gvt3.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs
Devices (Internet/Wi-Fi) dl-ssl.google.com TCP,UDP 443, 5228-5230 Download apps and updates, Play Store APIs

Devices (Internet/Wi-Fi)

*.ggpht.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

dl.google.com TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

*.notify.windows.com

HTTPS

443

For Cloud Messaging, Windows 10

Devices (Internet/Wi-Fi)

inference.location.live.net HTTP/HTTPS 80 or 443 Retrieve device location, Windows 10
Devices (Internet/Wi-Fi) *.notify.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging. Windows Phone 10
Devices (Internet/Wi-Fi) wns.windows.com HTTPS 443 Windows Push Notification Service
Devices (Internet/Wi-Fi) has.spserv.microsoft.com HTTPS 443 Health Attestation Services, Windows 10
Devices (Internet/Wi-Fi) microsoft.com/store/apps HTTPS 443 Public app store access
Devices (Internet/Wi-Fi) bspmts.mp.microsoft.com HTTPS 443 Business store portal app access
Devices (Internet/Wi-Fi) ekop.intel.com/ekcertservice HTTPS 443 For Intel firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.
Devices (Internet/Wi-Fi) ekcert.spserv.microsoft.com HTTPS 443 For Qualcomm firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.
Devices (Internet/Wi-Fi) *login.live.com HTTP/HTTPS 80 or 443 Request WNS Channel, Windows 10
Devices (Internet/Wi-Fi) *.windowsphone.com HTTP/HTTPS 80 or 443 Windows Phone 8
Devices (Internet/Wi-Fi) has.spserv.microsoft.com HTTPS 443 Windows 10 only for health attestation
Devices (Internet/Wi-Fi)

Public SSL Cert CRL

(Example: ocsp.verisign.com)

HTTP/HTTPS 80 and 443  

Devices (Internet/Wi-Fi)

AWCM Server

HTTP/HTTPS

2001

Windows Rugged, Android, macOS, Windows 7, and Windows Desktop devices with Workspace ONE UEM Unified Agent only.

Windows Desktop devices using the Workspace ONE UEM Unified Agent use the AWCM for real-time notifications.