The Workspace ONE UEM console and Device Services servers must communicate with several internal and external endpoints for functionality. End-user devices must also reach certain endpoints for access to applications and services. Learn more about how to ensure your network meets the Workspace ONE UEM requirements.

For the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. Workspace ONE UEM supports IPv6 protocol for all ports and components.

Console Server Ports

Source Component

Destination Component

Protocol

Port

Notes

UEM console Hostname

discovery.awmdm.com

HTTPS

443

Optional, for AutoDiscovery

UEM console Hostname

signing.awmdm.com

HTTPS

443

Mandatory for Workspace ONE Baselines. Optional, for AutoDiscovery

UEM console Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate. Proxy Connections not supported.

UEM console Hostname

gem.awmdm.com

HTTPS

443

Workspace ONE UEM Analytics in myAirWatch

UEM console Hostname

appwrap04.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud iOS App Wrapping Service

UEM console Hostname

gateway.push.apple.com(17.0.0.0/8)

TCP

2195

Apple iOS and macOS only

UEM console Hostname

feedback.push.apple.com(17.0.0.0/8)

TCP

2196

Apple iOS and macOS only

UEM console Hostname

appwrapandroid.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud Android App Wrapping Service

UEM console Hostname

appwrapandroid.awmdm.com

TCP

443

Android only

UEM console Hostname

fcm.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

UEM console Hostname

fcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; DPC Communication

UEM console Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

UEM console hostname

*gvt2.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

UEM console hostname

*gvt3.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

UEM console hostname

cri.pki.goog

CRL

443, 80

certificate validation

UEM console hostname

ocsp.pki.goog

CRL

443, 80

certificate validation

UEM console Hostname

pki.google.com

TCP

443

Android only. Certificate revocation.

UEM console Hostname

clients1.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

clients2.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

clients3.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

clients4.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

clients5.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

clients6.google.com

TCP

443

Android only. Google backend services.

UEM console Hostname

android.com

TCP

TCP, UDP

443

5228-5230

Android only

UEM console Hostname

*.googleapis.com

TCP

443

Android only. Google APIs, Play Store APIs.

UEM console Hostname

accounts.google.com

TCP

443

Android only. Authentication.

UEM console Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

UEM console Hostname

android.clients.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

UEM console Hostname

fonts.googleapis.com

HTTP/HTTPS

80 or 443

For fonts used in the UEM console

UEM console Hostname

google-analytics.com

TCP

TCP, UDP

443

5228-5230

UEM console Hostname

googleusercontent.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

UEM console Hostname

gstatic.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

UEM console Hostname

*.gvt1.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

UEM console Hostname

*.ggpht.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

UEM console Hostname

dl.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

UEM console Hostname

inference.location.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

UEM console Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

UEM console Hostname

next-services.apps.microsoft.com

HTTP/HTTPS

80 or 443

For App Management, Windows 8 /RT only

UEM console Hostname

*.windowsphone.com

HTTP/HTTPS

80 or 443

For App Management, Windows Phone 8 only

UEM console Hostname

login.live.com

HTTPS

443

For Cloud Messaging for Windows devices

UEM console Hostname

login.windows.net/{TenantName}

HTTPS

443

Windows 10 only, where {TenantName} is the domain name of your tenant in Azure

UEM console Hostname

graph.windows.net

HTTPS

443

Windows 10 only

UEM console Hostname

has.spserv.microsoft.com

HTTPS

443

Windows 10 only, for health attestation

UEM console Hostname

*.virtualearth.net

HTTP/HTTPS

80 or 443

For location services Bing Maps integration

UEM console Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple iOS and macOS only

UEM console Hostname

mdmenrollment.apple.com

TCP

443

Apple iOS, tvOS, and macOS only

UEM Console Hostname

api.push.apple.com

HTTPS

443

Apple iOS and macOS only

UEM console Hostname

gateway.celltrust.net(162.42.205.0/24)

HTTPS

443

Only requires the use of 443 when using SMS integration

UEM console Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

Optional, if Console is publicly accessible

UEM console Hostname

CRL:

http://crl3.digicert.com/sha2-assured-cs-g1.crl

http://crl4.digicert.com/sha2-assured-cs-g1.crl

HTTP

80

Supports code-signing verification of Workspace ONE UEM code post-installation.

UEM console Hostname

All Workspace ONE UEM Servers

HTTPS

443

UEM console Hostname

AWCM server

HTTPS

2001

AWCM may be installed on your Device Services server.

UEM console Hostname

Workspace ONE UEM API server (if standalone)

HTTPS

443

Set up network traffic from the Console server to the API server if the API component is not installed on the Console server.

The API component may be installed on your Device Services server.

UEM console Hostname

File Storage (if not set up on Console server)

SMB or NFS

Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.

UEM console Hostname

Workspace ONE UEM Database server

SQL

1433

UEM console Hostname

Exchange Server

HTTP/HTTPS

80 or 443

For PowerShell integration, if not using VMware Enterprise Systems Connector

UEM console Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

For LDAP integration

UEM console Hostname

SMTP Mail Relay

SMTP

25 or 465

For SMTP integration

UEM console Hostname

Internal PKI

HTTPS/DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

For PKI integration

UEM console Hostname

Memcached

TCP

11211

Memcached outbound communications

UEM console Hostname

https://gdmf.apple.com/v2/pmv

TCP

443

[OPTIONAL] iOS Updates functionality. Note: This endpoint is secured with an Apple Internal Certificate (Non-Public PKI). Trusting this certificate is a requirement for this functionality.

Console Server Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes

Admin Browser

VMware Workspace ONE Access

HTTPS

443

Astro APIs

Admin Browser

UEM console Hostname

HTTPS

443

Console Access

Admin Browser

API Server Hostname

HTTPS

443

Astro APIs

API Server Ports (if standalone)

Source Component

Destination Component

Protocol

Port

Notes

API Server Hostname

Workspace ONE UEM Database server

SQL

1433

API Server Hostname

AWCM server

HTTPS

2001

If AWCM is hosted on device services, then direct to the Device Services server.

API Server Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

Only required if you are integrating with Workspace ONE Access without the use of VMware Enterprise Systems Connector.

API Server Hostname

vmwarebaselines.com

HTTPS

443

AWS-hosted VMware Policy Catalog Service. Mandatory for Workspace ONE Baselines.

API Server Hostname

android.googleapis.com

play.google.com

HTTP/HTTPS

80 or 443

For Cloud Messaging for Android devices.

API Server Hostname

appwrapandroid.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud Android App Wrapping Service

API Server Hostname

appwrapandroid.awmdm.com

TCP

443

Android only

API Server Hostname

gcm-http.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

API Server Hostname

gcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

API Server Hostname

fcm.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

API Server Hostname

fcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; DPC Communication

API Server Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

API Server Hostname

pki.google.com

TCP

443

Android only. Certificate revocation.

API Server Hostname

clients1.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

clients2.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

clients3.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

clients4.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

clients5.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

clients6.google.com

TCP

443

Android only. Google backend services.

API Server Hostname

android.com

TCP

TCP, UDP

443

5228-5230

Android only

API Server Hostname

*.googleapis.com

TCP

443

Android only. Google APIs, Play Store APIs.

API Server Hostname

accounts.google.com

TCP

443

Android only. Authentication.

API Server Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

API Server Hostname

android.clients.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

API Server Hostname

fonts.googleapis.com

HTTP/HTTPS

80 or 443

For fonts used in the UEM console

API Server Hostname

google-analytics.com

TCP

TCP, UDP

443

5228-5230

API Server Hostname

googleusercontent.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

API Server Hostname

gstatic.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

API Server Hostname

*.gvt1.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

API Server Hostname

*.ggpht.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

API Server Hostname

dl.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

API Server Hostname

*gvt2.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

API Server Hostname

*gvt3.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

API Server Hostname

cri.pki.goog

CRL

443, 80

certificate validation

API Server Hostname

ocsp.pki.goog

CRL

443, 80

certificate validation

API Server Hostname

inference.location.live.net

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices.

API Server Hostname

gateway.push.apple.com(17.0.0.0/8)

feedback.push.apple.com(17.0.0.0/8)

TCP

2195, 2196, 2197

For Apple iOS and macOS cloud messaging. Proxy Connections not supported.

API Server Hostname

mdmenrollment.apple.com

TCP

443

Apple iOS, tvOS, and macOS only

API Server Hostname

api.push.apple.com

HTTPS

443

For Apple iOS and macOS cloud messaging. Proxy Connections not supported

API Server Hostname

Memcached

TCP

11211

Memcached outbound communications

Workspace ONE Access Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes

Workspace ONE Access Service

API Server Hostname

HTTPS

443

Auth Token Request

API Server Hostname

VMware Workspace ONE Access

HTTPS

443

Astro APIs

Device Services Server Ports

Source Component

Destination Component

Protocol

Port

Notes

Device Services Hostname

discovery.awmdm.com

HTTPS

443

Optional – For auto discovery functionality

Device Services Hostname

signing.awmdm.com

HTTPS

443

Optional – For auto discovery functionality

Device Services Hostname

gateway.push.apple.com

TCP

2195

Apple only

Device Services Hostname

feedback.push.apple.com

TCP

2196

Apple only

Device Services Hostname

www.google.com

HTTPS

443

Google devices running Android 8.0+

Device Services Hostname

appwrapandroid.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud Android App Wrapping Service

Device Services Hostname

appwrapandroid.awmdm.com

TCP

443

Android only

Device Services Hostname

gcm-http.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Device Services Hostname

gcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Device Services Hostname

fcm.googleapis.com

TCP

443, 5228-5230

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Device Services Hostname

fcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; DPC Communication

Device Services Hostname

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Device Services Hostname

pki.google.com

TCP

443

Android only. Certificate revocation.

Device Services Hostname

clients1.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

clients2.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

clients3.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

clients4.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

clients5.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

clients6.google.com

TCP

443

Android only. Google backend services.

Device Services Hostname

android.com

TCP

TCP, UDP

443

5228-5230

Android only

Device Services Hostname

*.googleapis.com

TCP

443

Android only. Google APIs, Play Store APIs.

Device Services Hostname

accounts.google.com

TCP

443

Android only. Authentication.

Device Services Hostname

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

Device Services Hostname

android.clients.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Device Services Hostname

fonts.googleapis.com

HTTP/HTTPS

80 or 443

For fonts used in the UEM console

Device Services Hostname

google-analytics.com

TCP

TCP, UDP

443

5228-5230

Device Services Hostname

googleusercontent.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Device Services Hostname

gstatic.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Device Services Hostname

*.gvt1.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Device Services Hostname

*gvt2.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

Device Services Hostname

*gvt3.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

Device Services Hostname

cri.pki.goog

CRL

443, 80

certificate validation

Device Services Hostname

ocsp.pki.goog

CRL

443, 80

certificate validation

Device Services Hostname

*.ggpht.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Device Services Hostname

dl.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Device Services Hostname

android.googleapis.com

HTTP/HTTPS

80 and 443

Android only

Device Services Hostname

play.google.com

HTTPS

443

Android only

Device Services Hostname

android.clients.google.com

TCP

80

Android app management only

Device Services Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate. Proxy Connections not supported.

Device Services Hostname

inference.location.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

Device Services Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

Device Services Hostname

*.windowsphone.com

HTTP

80

For App Management, Windows Phone 8 only

Device Services Hostname

next-services.apps.microsoft.com

HTTP/HTTPS

80 or 443

For App Management, Windows 8/RT only

Device Services Hostname

login.live.com

HTTPS

443

For Cloud Messaging for Windows devices

Device Services Hostname

login.windows.net/{TenantName}

HTTPS

443

Windows 10 only. Where {TenantName} is the domain name of your tenant in Azure.

Device Services Hostname

graph.windows.net

HTTPS

443

Windows 10 only

Device Services Hostname

has.spserv.microsoft.com

HTTPS

443

Windows 10 only for health attestation

Device Services Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple only

Device Services Hostname

mdmenrollment.apple.com

TCP

443

Apple iOS, tvOS, and macOS only

Device Services Hostname

api.push.apple.com

HTTPS

443

Apple Only

Device Services Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

Device Services Hostname

CRL:

http://crl3.digicert.com/sha2-assured-cs-g1.crl

http://crl4.digicert.com/sha2-assured-cs-g1.crl

HTTP

80

Supports code-signing verification of Workspace ONE UEM code post-installation.

Device Services Hostname

All Workspace ONE UEM Servers

HTTPS

443

Device Services Hostname

AWCM (if standalone)

HTTPS

2001

Set up network traffic from the Device Services server to the AWCM server if the AWCM component is not installed on the Device Services server.

Device Services Hostname

Workspace ONE UEM API server (if standalone)

HTTPS

443

Set up network traffic from the Device Services server to the API server if the API component is not installed on the Device Services server.

Device Services Hostname

File Storage (dedicated server or set up on an internal application server)

SMB or NFS

Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.

Device Services Hostname

Database Server

SQL

1433

Device Services Hostname

Exchange Server

HTTP/HTTPS

80 or 443

For PowerShell integration, if not using VMware Enterprise Systems Connector

Device Services Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

[OPTIONAL] if you don't use VMware Enterprise Systems Connector

Device Services Hostname

SMTP Mail Relay

SMTP

25 or 465

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

Device Services Hostname

Internal PKI

HTTPS/DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

Device Services Hostname

appwrap04.awmdm.com

HTTPS

443

AirWatch Cloud iOS App Wrapping Service

Device Services Hostname

appwrapandroid.awmdm.com

HTTPS

443

AirWatch Cloud Android App Wrapping Service

Device Services Hostname

Memcached

TCP

11211

Memcached outbound communications

VMware Workspace ONE Access Ports

Source Component

Destination Component

Protocol

Port

Notes

Load Balancer

VMware Workspace ONE Access

HTTPS

443

Workspace ONE Accessservice

VMware Workspace ONE Access

HTTPS

443

Browsers

VMware Workspace ONE Access

HTTPS

443

Workspace ONE Access service

vapp-updates.vmware.com

HTTPS

443

Access to the upgrade server

Browsers

VMware Workspace ONE Access

HTTPS

8443

Administrator Port

Workspace ONE Access service

SMTP

SMTP

25

Port to relay outbound mail

Workspace ONE Access service

Active Directory

LDAP, LDAPS, MSFT-GC, MSFT-GC-SSL

389, 636, 3268, 3269

Default values are listed. These ports are configurable.

Workspace ONE Access service

VMware ThinApp repository

TCP

445

Access to the ThinApp repository

Workspace ONE Access service

RSA SecurID system

UDP

5500

Default value is listed. This port is configurable.

Workspace ONE Access service

DNS server

TCP/UDP

53

Every Workspace ONE Access server must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.

Workspace ONE Accessservice

Domain controller

TCP/UDP

88,464,135

Workspace ONE Access service

VMware Workspace ONE Access

TCP

9300-9400

Audit needs

Workspace ONE Access service

VMware Workspace ONE Access

TCP

54328

Audit needs

Workspace ONE Access service

Workspace ONE Access Database

TCP

1433, 5432, 1521

Microsoft SQL default port is 1433. The PostgreSQL default port is 5432. The Oracle default port is 1521.

Workspace ONE Accessservice

View server

443

Access to View server.

Workspace ONE Access service

Citrix Integration Broker server

TCP

80, 443

Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.

Workspace ONE Accessservice

Workspace ONE UEM REST API

HTTPS

443

For device compliance checking and for the Enterprise System Connector Workspace ONE UEM Cloud Connector password authentication method, if that is used.

Workspace ONE Access service

Cloud-hosted KCD

UDP

88

Port used for Kerberos traffic from the Workspace ONE Access to the hosted cloud KDC service.

Adaptiva Server

AW Cloud Connector

UDP

34320

Port used for Adaptiva SDK library to send and receive messages to/from Adaptiva Server.

iOS mobile device

Cloud-hosted KCD

UDP

88

Port used for Kerberos traffic from the iOS device to the hosted cloud KDC service.

iOS mobile device

VMware Workspace ONE Access

TCP/UDP

88

Port used for Kerberos traffic from iOS device to the built-in KDC

iOS mobile device

VMware Workspace ONE Access

UDP

88

Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.

iOS mobile device

VMware Workspace ONE Access

HTTPS/TCP

443

Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.

Android mobile device

Workspace ONE UEM HTTPS proxy service

TCP

5262

Workspace ONE UEM Tunnel client routes traffic to the HTTPS proxy for Android devices.

Browser

VMware Workspace ONE Access

HTTP

80

Required

Workspace ONE Access service

Ehcache

40002

Workspace ONE Accessservice

RabbitMQ

4269, 5700, and 25672

Workspace ONE Accessservice

Elasticsearch

9200, 9300, 443, 8443, 80

Workspace ONE Access service

Android SSO

5262

Workspace ONE Access service

Browsers

HTTPS

6443

For certificate authentication configured in a Workspace ONE Access on premises DMZ deployment.

VMware Workspace ONE Access Admin API Ports

Source Component

Destination Component

Protocol

Port

Notes

UEM console Hostname

VMware Workspace ONE Access

HTTPS

443

Astro APIs

End-User Device Ports

Source Component

Destination Component

Protocol

Port

Notes

Devices (Internet/Wi-Fi)

Device Services Hostname

HTTP/HTTPS

80 or 443

Best practice: use HTTPS 443 for additional security.

Devices (Internet/Wi-Fi)

SEG Hostname

HTTPS

443

Devices (Internet/Wi-Fi)

VMware Tunnel Hostname

HTTPS

443, 2020

For Browser access

Devices (Internet/Wi-Fi)

courier.push.apple.com(17.0.0.0/8)

TCP

5223 and 443

Apple only. '#' is a random number from 0 to 200.

Devices (Internet/Wi-Fi)

*.push.apple.com

TCP

443, 80, 5223, 2197

Push notifications

Devices (Internet/Wi-Fi)

gdmf.apple.com

TCP

443

MDM server to identify which software updates are available to devices that use managed software updates.

Devices (Internet/Wi-Fi)

deviceenrollment.apple.com

TCP

443

DEP provisional enrollment.

Devices (Internet/Wi-Fi)

deviceservices-external.apple.com

TCP

443

Devices (Internet/Wi-Fi)

identity.apple.com

TCP

443

APNs certificate request portal.

Devices (Internet/Wi-Fi)

iprofiles.apple.com

TCP

443

Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment

Devices (Internet/Wi-Fi)

mdmenrollment.apple.com

TCP

443

MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts.

Devices (Internet/Wi-Fi)

vpp.itunes.apple.com

TCP

443

MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device.

Devices (Internet/Wi-Fi)

phobos.apple.com

ocsp.apple.com

ax.itunes.apple.com

HTTP/HTTPS

80 or 443

Apple only

Devices (Internet/Wi-Fi)

mtalk.google.com

TCP

5228

For Cloud Messaging, Android only. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

play.google.com

HTTPS

443

For App Management, Android only

Devices (Internet/Wi-Fi)

appwrapandroid.awmdm.com

HTTPS

443

Workspace ONE UEM Cloud Android App Wrapping Service

Devices (Internet/Wi-Fi)

appwrapandroid.awmdm.com

TCP

443

Android only

Devices (Internet/Wi-Fi)

gcm-http.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Devices (Internet/Wi-Fi)

gcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

fcm.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; Firebase Cloud Messaging. Proxy Connections not supported.

Devices (Internet/Wi-Fi)

fcm-xmpp.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only; DPC Communication

Devices (Internet/Wi-Fi)

android.googleapis.com

TCP

443, 5228-5230, 5235, 5236

Android only

Devices (Internet/Wi-Fi)

pki.google.com

TCP

443

Android only. Certificate revocation.

Devices (Internet/Wi-Fi)

clients1.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients2.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients3.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients4.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients5.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

clients6.google.com

TCP

443

Android only. Google backend services.

Devices (Internet/Wi-Fi)

android.com

TCP

TCP, UDP

443

5228-5230

Android only

Devices (Internet/Wi-Fi)

www.google.com

TCP

443

Devices (Internet/Wi-Fi)

*.googleapis.com

TCP

443

Android only. Google APIs, Play Store APIs.

Devices (Internet/Wi-Fi)

accounts.google.com

TCP

443

Android only. Authentication.

Devices (Internet/Wi-Fi)

play.google.com

TCP

TCP, UDP

443

5228-5230

Android only

Devices (Internet/Wi-Fi)

android.clients.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

fonts.googleapis.com

HTTP/HTTPS

80 or 443

For fonts used in the UEM console

Devices (Internet/Wi-Fi)

google-analytics.com

TCP

TCP, UDP

443

5228-5230

Devices (Internet/Wi-Fi)

googleusercontent.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Devices (Internet/Wi-Fi)

gstatic.com

TCP

TCP, UDP

443

5228-5230

Android only. User Generated Content (e.g. app icons in the store).

Devices (Internet/Wi-Fi)

*.gvt1.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

*gvt2.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

Devices (Internet/Wi-Fi)

*gvt3.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

Devices (Internet/Wi-Fi)

dl-ssl.google.com

TCP,UDP

443, 5228-5230

Download apps and updates, Play Store APIs

Devices (Internet/Wi-Fi)

*.ggpht.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

dl.google.com

TCP

TCP, UDP

443

5228-5230

Android only. Download apps and updates, Play Store APIs.

Devices (Internet/Wi-Fi)

*.notify.windows.com

HTTPS

443

For Cloud Messaging, Windows 10

Devices (Internet/Wi-Fi)

inference.location.live.net

HTTP/HTTPS

80 or 443

Retrieve device location, Windows 10

Devices (Internet/Wi-Fi)

*.notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging. Windows Phone 10

Devices (Internet/Wi-Fi)

wns.windows.com

HTTPS

443

Windows Push Notification Service

Devices (Internet/Wi-Fi)

has.spserv.microsoft.com

HTTPS

443

Health Attestation Services, Windows 10

Devices (Internet/Wi-Fi)

microsoft.com/store/apps

HTTPS

443

Public app store access

Devices (Internet/Wi-Fi)

bspmts.mp.microsoft.com

HTTPS

443

Business store portal app access

Devices (Internet/Wi-Fi)

ekop.intel.com/ekcertservice

HTTPS

443

For Intel firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.

Devices (Internet/Wi-Fi)

ekcert.spserv.microsoft.com

HTTPS

443

For Qualcomm firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.

Devices (Internet/Wi-Fi)

*login.live.com

HTTP/HTTPS

80 or 443

Request WNS Channel, Windows 10

Devices (Internet/Wi-Fi)

*.windowsphone.com

HTTP/HTTPS

80 or 443

Windows Phone 8

Devices (Internet/Wi-Fi)

has.spserv.microsoft.com

HTTPS

443

Windows 10 only for health attestation

Devices (Internet/Wi-Fi)

Public SSL Cert CRL

(Example: ocsp.verisign.com)

HTTP/HTTPS

80 and 443

Devices (Internet/Wi-Fi)

AWCM Server

HTTP/HTTPS

2001

Windows Rugged, Android, macOS, Windows 7, and Windows Desktop devices with Workspace ONE UEM Unified Agent only.

Windows Desktop devices using the Workspace ONE UEM Unified Agent use the AWCM for real-time notifications.