The Workspace ONE UEM console and Device Services servers must communicate with several internal and external endpoints for functionality. End-user devices must also reach certain endpoints for access to applications and services. Learn more about how to ensure your network meets the Workspace ONE UEM requirements.
For the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component. Workspace ONE UEM supports IPv6 protocol for all ports and components.
Console Server Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| UEM console Hostname |
discovery.awmdm.com |
HTTPS |
443 |
Optional, for AutoDiscovery |
| UEM console Hostname |
signing.awmdm.com |
HTTPS |
443 |
Mandatory for Workspace ONE Baselines. Optional, for AutoDiscovery |
| UEM console Hostname |
awcp.air-watch.com |
HTTPS |
443 |
Optional, for APNs Certificate. Proxy Connections not supported. |
| UEM console Hostname |
gem.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Analytics in myAirWatch |
| UEM console Hostname |
appwrap04.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Cloud iOS App Wrapping Service |
| UEM console Hostname |
gateway.push.apple.com(17.0.0.0/8) |
TCP |
2195 |
Apple iOS and macOS only |
| UEM console Hostname |
feedback.push.apple.com(17.0.0.0/8) |
TCP |
2196 |
Apple iOS and macOS only |
| UEM console Hostname |
appwrapandroid.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Cloud Android App Wrapping Service |
| UEM console Hostname |
appwrapandroid.awmdm.com |
TCP |
443 |
Android only |
| UEM console Hostname |
fcm.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| UEM console Hostname |
fcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; DPC Communication |
| UEM console Hostname |
android.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| UEM console hostname |
*gvt2.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| UEM console hostname |
*gvt3.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| UEM console hostname |
cri.pki.goog |
CRL |
443, 80 |
certificate validation |
| UEM console hostname |
ocsp.pki.goog |
CRL |
443, 80 |
certificate validation |
| UEM console Hostname |
pki.google.com |
TCP |
443 |
Android only. Certificate revocation. |
| UEM console Hostname |
clients1.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
clients2.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
clients3.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
clients4.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
clients5.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
clients6.google.com |
TCP |
443 |
Android only. Google backend services. |
| UEM console Hostname |
android.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| UEM console Hostname |
*.googleapis.com |
TCP |
443 |
Android only. Google APIs, Play Store APIs. |
| UEM console Hostname |
accounts.google.com |
TCP |
443 |
Android only. Authentication. |
| UEM console Hostname |
play.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| UEM console Hostname |
android.clients.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| UEM console Hostname |
fonts.googleapis.com |
HTTP/HTTPS |
80 or 443 |
For fonts used in the UEM console |
| UEM console Hostname |
google-analytics.com |
TCP TCP, UDP |
443 5228-5230 |
|
| UEM console Hostname |
googleusercontent.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| UEM console Hostname |
gstatic.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| UEM console Hostname |
*.gvt1.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| UEM console Hostname |
*.ggpht.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| UEM console Hostname |
dl.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| UEM console Hostname |
inference.location.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Windows devices |
| UEM console Hostname |
*notify.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Windows devices |
| UEM console Hostname |
next-services.apps.microsoft.com |
HTTP/HTTPS |
80 or 443 |
For App Management, Windows 8 /RT only |
| UEM console Hostname |
*.windowsphone.com |
HTTP/HTTPS |
80 or 443 |
For App Management, Windows Phone 8 only |
| UEM console Hostname |
login.live.com |
HTTPS |
443 |
For Cloud Messaging for Windows devices |
| UEM console Hostname |
login.windows.net/{TenantName} |
HTTPS |
443 |
Windows 10 only, where {TenantName} is the domain name of your tenant in Azure |
| UEM console Hostname |
graph.windows.net |
HTTPS |
443 |
Windows 10 only |
| UEM console Hostname |
has.spserv.microsoft.com |
HTTPS |
443 |
Windows 10 only, for health attestation |
| UEM console Hostname |
*.virtualearth.net |
HTTP/HTTPS |
80 or 443 |
For location services Bing Maps integration |
| UEM console Hostname |
Apple iTunes itunes.apple.com *.mzstatic.com *.phobos.apple.com *.phobos.apple.com.edgesuite.net |
HTTP |
80 |
Apple iOS and macOS only |
| UEM console Hostname |
mdmenrollment.apple.com |
TCP |
443 |
Apple iOS, tvOS, and macOS only |
| UEM Console Hostname |
api.push.apple.com |
HTTPS |
443 |
Apple iOS and macOS only |
| UEM console Hostname |
gateway.celltrust.net(162.42.205.0/24) |
HTTPS |
443 |
Only requires the use of 443 when using SMS integration |
| UEM console Hostname |
SSL Cert CRL* (Example: ocsp.verisign.com) |
HTTP/HTTPS |
80 or 443 |
Optional, if Console is publicly accessible |
| UEM console Hostname |
CRL: http://crl3.digicert.com/sha2-assured-cs-g1.crl http://crl4.digicert.com/sha2-assured-cs-g1.crl |
HTTP |
80 |
Supports code-signing verification of Workspace ONE UEM code post-installation. |
| UEM console Hostname |
All Workspace ONE UEM Servers |
HTTPS |
443 |
|
| UEM console Hostname |
AWCM server |
HTTPS |
2001 |
AWCM may be installed on your Device Services server. |
| UEM console Hostname |
Workspace ONE UEM API server (if standalone) |
HTTPS |
443 |
Set up network traffic from the Console server to the API server if the API component is not installed on the Console server. The API component may be installed on your Device Services server. |
| UEM console Hostname |
File Storage (if not set up on Console server) |
SMB or NFS |
Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138 NFS: TCP and UDP: 111 and 2049 |
Required for reports. For more information see File Storage Requirement. |
| UEM console Hostname |
Workspace ONE UEM Database server |
SQL |
1433 |
|
| UEM console Hostname |
Exchange Server |
HTTP/HTTPS |
80 or 443 |
For PowerShell integration, if not using VMware Enterprise Systems Connector |
| UEM console Hostname |
Active Directory domain controller |
LDAP(S) |
389 or 636 or 3268 or 3269 |
For LDAP integration |
| UEM console Hostname |
SMTP Mail Relay |
SMTP |
25 or 465 |
For SMTP integration |
| UEM console Hostname |
Internal PKI |
HTTPS/DCOM |
443 (HTTPS) or 135 or 1025-5000 or 49152-65535 (DCOM) |
For PKI integration |
| UEM console Hostname |
Memcached |
TCP |
11211 |
Memcached outbound communications |
| UEM console Hostname |
https://gdmf.apple.com/v2/pmv |
TCP |
443 |
[OPTIONAL] iOS Updates functionality. Note: This endpoint is secured with an Apple Internal Certificate (Non-Public PKI). Trusting this certificate is a requirement for this functionality. |
Console Server Admin API Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| Admin Browser |
VMware Workspace ONE Access |
HTTPS |
443 |
Astro APIs |
| Admin Browser |
UEM console Hostname |
HTTPS |
443 |
Console Access |
| Admin Browser |
API Server Hostname |
HTTPS |
443 |
Astro APIs |
API Server Ports (if standalone)
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| API Server Hostname |
Workspace ONE UEM Database server |
SQL |
1433 |
|
| API Server Hostname |
AWCM server |
HTTPS |
2001 |
If AWCM is hosted on device services, then direct to the Device Services server. |
| API Server Hostname |
Active Directory domain controller |
LDAP(S) |
389 or 636 or 3268 or 3269 |
Only required if you are integrating with Workspace ONE Access without the use of VMware Enterprise Systems Connector. |
| API Server Hostname |
vmwarebaselines.com |
HTTPS |
443 |
AWS-hosted VMware Policy Catalog Service. Mandatory for Workspace ONE Baselines. |
| API Server Hostname |
android.googleapis.com play.google.com |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Android devices. |
| API Server Hostname |
appwrapandroid.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Cloud Android App Wrapping Service |
| API Server Hostname |
appwrapandroid.awmdm.com |
TCP |
443 |
Android only |
| API Server Hostname |
gcm-http.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| API Server Hostname |
gcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| API Server Hostname |
fcm.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| API Server Hostname |
fcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; DPC Communication |
| API Server Hostname |
android.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| API Server Hostname |
pki.google.com |
TCP |
443 |
Android only. Certificate revocation. |
| API Server Hostname |
clients1.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
clients2.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
clients3.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
clients4.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
clients5.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
clients6.google.com |
TCP |
443 |
Android only. Google backend services. |
| API Server Hostname |
android.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| API Server Hostname |
*.googleapis.com |
TCP |
443 |
Android only. Google APIs, Play Store APIs. |
| API Server Hostname |
accounts.google.com |
TCP |
443 |
Android only. Authentication. |
| API Server Hostname |
play.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| API Server Hostname |
android.clients.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| API Server Hostname |
fonts.googleapis.com |
HTTP/HTTPS |
80 or 443 |
For fonts used in the UEM console |
| API Server Hostname |
google-analytics.com |
TCP TCP, UDP |
443 5228-5230 |
|
| API Server Hostname |
googleusercontent.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| API Server Hostname |
gstatic.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| API Server Hostname |
*.gvt1.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| API Server Hostname |
*.ggpht.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| API Server Hostname |
dl.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| API Server Hostname |
*gvt2.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| API Server Hostname |
*gvt3.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| API Server Hostname |
cri.pki.goog |
CRL |
443, 80 |
certificate validation |
| API Server Hostname |
ocsp.pki.goog |
CRL |
443, 80 |
certificate validation |
| API Server Hostname |
inference.location.live.net *notify.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Windows devices. |
| API Server Hostname |
gateway.push.apple.com(17.0.0.0/8) feedback.push.apple.com(17.0.0.0/8) |
TCP |
2195, 2196, 2197 |
For Apple iOS and macOS cloud messaging. Proxy Connections not supported. |
| API Server Hostname |
mdmenrollment.apple.com |
TCP |
443 |
Apple iOS, tvOS, and macOS only |
| API Server Hostname |
api.push.apple.com |
HTTPS |
443 |
For Apple iOS and macOS cloud messaging. Proxy Connections not supported |
| API Server Hostname |
Memcached |
TCP |
11211 |
Memcached outbound communications |
Workspace ONE Access Admin API Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| Workspace ONE Access Service |
API Server Hostname |
HTTPS |
443 |
Auth Token Request |
| API Server Hostname |
VMware Workspace ONE Access |
HTTPS |
443 |
Astro APIs |
Device Services Server Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| Device Services Hostname |
discovery.awmdm.com |
HTTPS |
443 |
Optional – For auto discovery functionality |
| Device Services Hostname |
signing.awmdm.com |
HTTPS |
443 |
Optional – For auto discovery functionality |
| Device Services Hostname |
gateway.push.apple.com |
TCP |
2195 |
Apple only |
| Device Services Hostname |
feedback.push.apple.com |
TCP |
2196 |
Apple only |
| Device Services Hostname |
www.google.com |
HTTPS |
443 |
Google devices running Android 8.0+ |
| Device Services Hostname |
appwrapandroid.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Cloud Android App Wrapping Service |
| Device Services Hostname |
appwrapandroid.awmdm.com |
TCP |
443 |
Android only |
| Device Services Hostname |
gcm-http.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| Device Services Hostname |
gcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| Device Services Hostname |
fcm.googleapis.com |
TCP |
443, 5228-5230 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| Device Services Hostname |
fcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; DPC Communication |
| Device Services Hostname |
android.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| Device Services Hostname |
pki.google.com |
TCP |
443 |
Android only. Certificate revocation. |
| Device Services Hostname |
clients1.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
clients2.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
clients3.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
clients4.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
clients5.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
clients6.google.com |
TCP |
443 |
Android only. Google backend services. |
| Device Services Hostname |
android.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| Device Services Hostname |
*.googleapis.com |
TCP |
443 |
Android only. Google APIs, Play Store APIs. |
| Device Services Hostname |
accounts.google.com |
TCP |
443 |
Android only. Authentication. |
| Device Services Hostname |
play.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| Device Services Hostname |
android.clients.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Device Services Hostname |
fonts.googleapis.com |
HTTP/HTTPS |
80 or 443 |
For fonts used in the UEM console |
| Device Services Hostname |
google-analytics.com |
TCP TCP, UDP |
443 5228-5230 |
|
| Device Services Hostname |
googleusercontent.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| Device Services Hostname |
gstatic.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| Device Services Hostname |
*.gvt1.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Device Services Hostname |
*gvt2.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| Device Services Hostname |
*gvt3.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| Device Services Hostname |
cri.pki.goog |
CRL |
443, 80 |
certificate validation |
| Device Services Hostname |
ocsp.pki.goog |
CRL |
443, 80 |
certificate validation |
| Device Services Hostname |
*.ggpht.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Device Services Hostname |
dl.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Device Services Hostname |
android.googleapis.com |
HTTP/HTTPS |
80 and 443 |
Android only |
| Device Services Hostname |
play.google.com |
HTTPS |
443 |
Android only |
| Device Services Hostname |
android.clients.google.com |
TCP |
80 |
Android app management only |
| Device Services Hostname |
awcp.air-watch.com |
HTTPS |
443 |
Optional, for APNs Certificate. Proxy Connections not supported. |
| Device Services Hostname |
inference.location.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Windows devices |
| Device Services Hostname |
*notify.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging for Windows devices |
| Device Services Hostname |
*.windowsphone.com |
HTTP |
80 |
For App Management, Windows Phone 8 only |
| Device Services Hostname |
next-services.apps.microsoft.com |
HTTP/HTTPS |
80 or 443 |
For App Management, Windows 8/RT only |
| Device Services Hostname |
login.live.com |
HTTPS |
443 |
For Cloud Messaging for Windows devices |
| Device Services Hostname |
login.windows.net/{TenantName} |
HTTPS |
443 |
Windows 10 only. Where {TenantName} is the domain name of your tenant in Azure. |
| Device Services Hostname |
graph.windows.net |
HTTPS |
443 |
Windows 10 only |
| Device Services Hostname |
has.spserv.microsoft.com |
HTTPS |
443 |
Windows 10 only for health attestation |
| Device Services Hostname |
Apple iTunes itunes.apple.com *.mzstatic.com *.phobos.apple.com *.phobos.apple.com.edgesuite.net |
HTTP |
80 |
Apple only |
| Device Services Hostname |
mdmenrollment.apple.com |
TCP |
443 |
Apple iOS, tvOS, and macOS only |
| Device Services Hostname |
api.push.apple.com |
HTTPS |
443 |
Apple Only |
| Device Services Hostname |
SSL Cert CRL* (Example: ocsp.verisign.com) |
HTTP/HTTPS |
80 or 443 |
|
| Device Services Hostname |
CRL: http://crl3.digicert.com/sha2-assured-cs-g1.crl http://crl4.digicert.com/sha2-assured-cs-g1.crl |
HTTP |
80 |
Supports code-signing verification of Workspace ONE UEM code post-installation. |
| Device Services Hostname |
All Workspace ONE UEM Servers |
HTTPS |
443 |
|
| Device Services Hostname |
AWCM (if standalone) |
HTTPS |
2001 |
Set up network traffic from the Device Services server to the AWCM server if the AWCM component is not installed on the Device Services server. |
| Device Services Hostname |
Workspace ONE UEM API server (if standalone) |
HTTPS |
443 |
Set up network traffic from the Device Services server to the API server if the API component is not installed on the Device Services server. |
| Device Services Hostname |
File Storage (dedicated server or set up on an internal application server) |
SMB or NFS |
Samba/SMB:TCP: 445, 137, 139. UDP: 137, 138 NFS: TCP and UDP: 111 and 2049 |
Required for reports. For more information see File Storage Requirement. |
| Device Services Hostname |
Database Server |
SQL |
1433 |
|
| Device Services Hostname |
Exchange Server |
HTTP/HTTPS |
80 or 443 |
For PowerShell integration, if not using VMware Enterprise Systems Connector |
| Device Services Hostname |
Active Directory domain controller |
LDAP(S) |
389 or 636 or 3268 or 3269 |
[OPTIONAL] if you don't use VMware Enterprise Systems Connector |
| Device Services Hostname |
SMTP Mail Relay |
SMTP |
25 or 465 |
[OPTIONAL] if you do not use VMware Enterprise Systems Connector |
| Device Services Hostname |
Internal PKI |
HTTPS/DCOM |
443 (HTTPS) or 135 or 1025-5000 or 49152-65535 (DCOM) |
[OPTIONAL] if you do not use VMware Enterprise Systems Connector |
| Device Services Hostname |
appwrap04.awmdm.com |
HTTPS |
443 |
AirWatch Cloud iOS App Wrapping Service |
| Device Services Hostname |
appwrapandroid.awmdm.com |
HTTPS |
443 |
AirWatch Cloud Android App Wrapping Service |
| Device Services Hostname |
Memcached |
TCP |
11211 |
Memcached outbound communications |
VMware Workspace ONE Access Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| Load Balancer |
VMware Workspace ONE Access |
HTTPS |
443 |
|
| Workspace ONE Accessservice |
VMware Workspace ONE Access |
HTTPS |
443 |
|
| Browsers |
VMware Workspace ONE Access |
HTTPS |
443 |
|
| Workspace ONE Access service |
vapp-updates.vmware.com |
HTTPS |
443 |
Access to the upgrade server |
| Browsers |
VMware Workspace ONE Access |
HTTPS |
8443 |
Administrator Port |
| Workspace ONE Access service |
SMTP |
SMTP |
25 |
Port to relay outbound mail |
| Workspace ONE Access service |
Active Directory |
LDAP, LDAPS, MSFT-GC, MSFT-GC-SSL |
389, 636, 3268, 3269 |
Default values are listed. These ports are configurable. |
| Workspace ONE Access service |
VMware ThinApp repository |
TCP |
445 |
Access to the ThinApp repository |
| Workspace ONE Access service |
RSA SecurID system |
UDP |
5500 |
Default value is listed. This port is configurable. |
| Workspace ONE Access service |
DNS server |
TCP/UDP |
53 |
Every Workspace ONE Access server must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22. |
| Workspace ONE Accessservice |
Domain controller |
TCP/UDP |
88,464,135 |
|
| Workspace ONE Access service |
VMware Workspace ONE Access |
TCP |
9300-9400 |
Audit needs |
| Workspace ONE Access service |
VMware Workspace ONE Access |
TCP |
54328 |
Audit needs |
| Workspace ONE Access service |
Workspace ONE Access Database |
TCP |
1433, 5432, 1521 |
Microsoft SQL default port is 1433. The PostgreSQL default port is 5432. The Oracle default port is 1521. |
| Workspace ONE Accessservice |
View server |
443 |
Access to View server. |
|
| Workspace ONE Access service |
Citrix Integration Broker server |
TCP |
80, 443 |
Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server. |
| Workspace ONE Accessservice |
Workspace ONE UEM REST API |
HTTPS |
443 |
For device compliance checking and for the Enterprise System Connector Workspace ONE UEM Cloud Connector password authentication method, if that is used. |
| Workspace ONE Access service |
Cloud-hosted KCD |
UDP |
88 |
Port used for Kerberos traffic from the Workspace ONE Access to the hosted cloud KDC service. |
| Adaptiva Server |
AW Cloud Connector |
UDP |
34320 |
Port used for Adaptiva SDK library to send and receive messages to/from Adaptiva Server. |
| iOS mobile device |
Cloud-hosted KCD |
UDP |
88 |
Port used for Kerberos traffic from the iOS device to the hosted cloud KDC service. |
| iOS mobile device |
VMware Workspace ONE Access |
TCP/UDP |
88 |
Port used for Kerberos traffic from iOS device to the built-in KDC |
| iOS mobile device |
VMware Workspace ONE Access |
UDP |
88 |
Port used for Kerberos traffic from iOS device to the hosted cloud KDC service. |
| iOS mobile device |
VMware Workspace ONE Access |
HTTPS/TCP |
443 |
Port used for Kerberos traffic from iOS device to the hosted cloud KDC service. |
| Android mobile device |
Workspace ONE UEM HTTPS proxy service |
TCP |
5262 |
Workspace ONE UEM Tunnel client routes traffic to the HTTPS proxy for Android devices. |
| Browser |
VMware Workspace ONE Access |
HTTP |
80 |
Required |
| Workspace ONE Access service |
Ehcache |
40002 |
||
| Workspace ONE Accessservice |
RabbitMQ |
4269, 5700, and 25672 |
||
| Workspace ONE Accessservice |
Elasticsearch |
9200, 9300, 443, 8443, 80 |
||
| Workspace ONE Access service |
Android SSO |
5262 |
||
| Workspace ONE Access service |
Browsers |
HTTPS |
6443 |
For certificate authentication configured in a Workspace ONE Access on premises DMZ deployment. |
VMware Workspace ONE Access Admin API Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| UEM console Hostname |
VMware Workspace ONE Access |
HTTPS |
443 |
Astro APIs |
End-User Device Ports
| Source Component |
Destination Component |
Protocol |
Port |
Notes |
|---|---|---|---|---|
| Devices (Internet/Wi-Fi) |
Device Services Hostname |
HTTP/HTTPS |
80 or 443 |
Best practice: use HTTPS 443 for additional security. |
| Devices (Internet/Wi-Fi) |
SEG Hostname |
HTTPS |
443 |
|
| Devices (Internet/Wi-Fi) |
VMware Tunnel Hostname |
HTTPS |
443, 2020 |
For Browser access |
| Devices (Internet/Wi-Fi) |
courier.push.apple.com(17.0.0.0/8) |
TCP |
5223 and 443 |
Apple only. '#' is a random number from 0 to 200. |
| Devices (Internet/Wi-Fi) |
*.push.apple.com |
TCP |
443, 80, 5223, 2197 |
Push notifications |
| Devices (Internet/Wi-Fi) |
gdmf.apple.com |
TCP |
443 |
MDM server to identify which software updates are available to devices that use managed software updates. |
| Devices (Internet/Wi-Fi) |
deviceenrollment.apple.com |
TCP |
443 |
DEP provisional enrollment. |
| Devices (Internet/Wi-Fi) |
deviceservices-external.apple.com |
TCP |
443 |
|
| Devices (Internet/Wi-Fi) |
identity.apple.com |
TCP |
443 |
APNs certificate request portal. |
| Devices (Internet/Wi-Fi) |
iprofiles.apple.com |
TCP |
443 |
Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment |
| Devices (Internet/Wi-Fi) |
mdmenrollment.apple.com |
TCP |
443 |
MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts. |
| Devices (Internet/Wi-Fi) |
vpp.itunes.apple.com |
TCP |
443 |
MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device. |
| Devices (Internet/Wi-Fi) |
phobos.apple.com ocsp.apple.com ax.itunes.apple.com |
HTTP/HTTPS |
80 or 443 |
Apple only |
| Devices (Internet/Wi-Fi) |
mtalk.google.com |
TCP |
5228 |
For Cloud Messaging, Android only. Proxy Connections not supported. |
| Devices (Internet/Wi-Fi) |
play.google.com |
HTTPS |
443 |
For App Management, Android only |
| Devices (Internet/Wi-Fi) |
appwrapandroid.awmdm.com |
HTTPS |
443 |
Workspace ONE UEM Cloud Android App Wrapping Service |
| Devices (Internet/Wi-Fi) |
appwrapandroid.awmdm.com |
TCP |
443 |
Android only |
| Devices (Internet/Wi-Fi) |
gcm-http.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| Devices (Internet/Wi-Fi) |
gcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| Devices (Internet/Wi-Fi) |
fcm.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; Firebase Cloud Messaging. Proxy Connections not supported. |
| Devices (Internet/Wi-Fi) |
fcm-xmpp.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only; DPC Communication |
| Devices (Internet/Wi-Fi) |
android.googleapis.com |
TCP |
443, 5228-5230, 5235, 5236 |
Android only |
| Devices (Internet/Wi-Fi) |
pki.google.com |
TCP |
443 |
Android only. Certificate revocation. |
| Devices (Internet/Wi-Fi) |
clients1.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
clients2.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
clients3.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
clients4.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
clients5.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
clients6.google.com |
TCP |
443 |
Android only. Google backend services. |
| Devices (Internet/Wi-Fi) |
android.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| Devices (Internet/Wi-Fi) |
www.google.com |
TCP |
443 |
|
| Devices (Internet/Wi-Fi) |
*.googleapis.com |
TCP |
443 |
Android only. Google APIs, Play Store APIs. |
| Devices (Internet/Wi-Fi) |
accounts.google.com |
TCP |
443 |
Android only. Authentication. |
| Devices (Internet/Wi-Fi) |
play.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only |
| Devices (Internet/Wi-Fi) |
android.clients.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Devices (Internet/Wi-Fi) |
fonts.googleapis.com |
HTTP/HTTPS |
80 or 443 |
For fonts used in the UEM console |
| Devices (Internet/Wi-Fi) |
google-analytics.com |
TCP TCP, UDP |
443 5228-5230 |
|
| Devices (Internet/Wi-Fi) |
googleusercontent.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| Devices (Internet/Wi-Fi) |
gstatic.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. User Generated Content (e.g. app icons in the store). |
| Devices (Internet/Wi-Fi) |
*.gvt1.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Devices (Internet/Wi-Fi) |
*gvt2.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| Devices (Internet/Wi-Fi) |
*gvt3.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| Devices (Internet/Wi-Fi) |
dl-ssl.google.com |
TCP,UDP |
443, 5228-5230 |
Download apps and updates, Play Store APIs |
| Devices (Internet/Wi-Fi) |
*.ggpht.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Devices (Internet/Wi-Fi) |
dl.google.com |
TCP TCP, UDP |
443 5228-5230 |
Android only. Download apps and updates, Play Store APIs. |
| Devices (Internet/Wi-Fi) |
*.notify.windows.com |
HTTPS |
443 |
For Cloud Messaging, Windows 10 |
| Devices (Internet/Wi-Fi) |
inference.location.live.net |
HTTP/HTTPS |
80 or 443 |
Retrieve device location, Windows 10 |
| Devices (Internet/Wi-Fi) |
*.notify.live.net |
HTTP/HTTPS |
80 or 443 |
For Cloud Messaging. Windows Phone 10 |
| Devices (Internet/Wi-Fi) |
wns.windows.com |
HTTPS |
443 |
Windows Push Notification Service |
| Devices (Internet/Wi-Fi) |
has.spserv.microsoft.com |
HTTPS |
443 |
Health Attestation Services, Windows 10 |
| Devices (Internet/Wi-Fi) |
microsoft.com/store/apps |
HTTPS |
443 |
Public app store access |
| Devices (Internet/Wi-Fi) |
bspmts.mp.microsoft.com |
HTTPS |
443 |
Business store portal app access |
| Devices (Internet/Wi-Fi) |
ekop.intel.com/ekcertservice |
HTTPS |
443 |
For Intel firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot. |
| Devices (Internet/Wi-Fi) |
ekcert.spserv.microsoft.com |
HTTPS |
443 |
For Qualcomm firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot. |
| Devices (Internet/Wi-Fi) |
*login.live.com |
HTTP/HTTPS |
80 or 443 |
Request WNS Channel, Windows 10 |
| Devices (Internet/Wi-Fi) |
*.windowsphone.com |
HTTP/HTTPS |
80 or 443 |
Windows Phone 8 |
| Devices (Internet/Wi-Fi) |
has.spserv.microsoft.com |
HTTPS |
443 |
Windows 10 only for health attestation |
| Devices (Internet/Wi-Fi) |
Public SSL Cert CRL (Example: ocsp.verisign.com) |
HTTP/HTTPS |
80 and 443 |
|
| Devices (Internet/Wi-Fi) |
AWCM Server |
HTTP/HTTPS |
2001 |
Windows Rugged, Android, macOS, Windows 7, and Windows Desktop devices with Workspace ONE UEM Unified Agent only. Windows Desktop devices using the Workspace ONE UEM Unified Agent use the AWCM for real-time notifications. |
