End-user devices must be able to reach certain endpoints for access to apps and services. The Network Requirements for Android is a list of known endpoints for current and past versions of enterprise management APIs.
To reach all the endpoints successfully, a direct connection is required. If the devices are connected behind a proxy, the direct communication is not possible and certain functions fail.
| Destination Host | Ports | Purpose |
|---|---|---|
| play.google.com,android.com,google-analytics.com,googleusercontent.com,*gstatic.com,*gvt1.com*,*ggpht.com,dl.google.com,dl-ssl.google.com, android.clients.google.com*,gvt2.com,*gvt3.com | TCP/443TCP,UDP/5228-5230 | Google Play and updatesgstatic.com,googleusercontent.com - contains User Generated Content (e.g. appicons in the store)*gvt1.com, *.ggpht, dl.google.com,dl-ssl.google.com,android.clients.google.com -Download apps and updates, PlayStore APIs, gvt2.com and gvt3.com are usedfor Play connectivity monitoring fordiagnostics. |
| *.googleapis.com | TCP/443 | EMM/Google APIs/PlayStore APIs |
| accounts.google.com, accounts.google.[country] | TCP/443 | Authentication For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk. |
| fcm.googleapis.com, fcm-xmpp.googleapis.com | TCP/443,5228-5230 | Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs) |
| pki.google.com, clients1.google.com | TCP/443 | Certificate Revocation list checks for Google-issued certificates |
| clients2.google.com, clients3.google.com. clients4.google.com, clients5.google.com, clients6.google.com | TCP/443 | Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others |
| omahaproxy.appspot.com | TCP/443 | Chrome updates |
| android.clients.google.com | TCP/443 | CloudDPC download URL used in NFC provisioning |
| connectivitycheck.android.com www.google.com | TCP/443 | Connectivity check prior to CloudDPC v470 Android connectivity check starting with N MR1 requires https://www.google.com/generate _204 to be reachable, or for the given WiFi network to point to a reachable PAC file. Also required for AOSP devices running Android 7.0 or later. |
| www.google.com, www.google.com/generate_204 | AOSP devices runnning Android 7.0 or later |
Firewall Rules for Consoles
If an EMM console is located on-premise, the destinations below need to be reachable from the network in order to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame.
These requirements reflect current Google Cloud requirements and are subject to change.
| Destination Host | Ports | Purpose |
|---|---|---|
| play.google.com, www.google.com | TCP/443 | Google Play Store Play Enterprise re-enroll |
| fonts.googleapis.com*, .gstatic.com | TCP/443 | iFrame JS, Google fonts, User Generated Content (e.g. appicons in the store) |
| accounts.youtube.com, accounts.google.com, accounts.google.com.* | TCP/443 | Account Authentication, Country-specific account authdomains |
| apis.google.com, ajax.googleapis.com | TCP/443 | GCM, other Google web services, and iFrame JS |
| clients1.google.com, payments.google.com, google.com | TCP/443 | App approval |
| ogs.google.com | TCP/443 | iFrame UI elements |
| notifications.google.com | TCP/443 | Desktop/Mobile Notifications |
