Pull service-based relay servers periodically contact the Workspace ONE UEM powered by AirWatch to monitor for new products, profiles, files, actions, and applications provisioned to devices under the pull relay servers purview. Configure a pull server to provision content to devices without excessive bandwidth use.

The server creates an outbound https connection on port 443 to the UEM console and periodically polls for changes or additions. If the server finds changes or additions, then it downloads the new content onto the server before pushing it to its devices.

Pull service is preferred when using a NAT firewall or SaaS environments over on-premises hybrid environments. The reason is that SaaS customers typically do not want the service to tie up bandwidth when content is delivered from Workspace ONE UEM to the store server.

Note: The IP configured in the pull connection / pull discovery must be an internal IP address for the server. The service does not configure correctly if an external IP or NAT IP address is used.

Pull Relay Server Security

Relay Servers may hold sensitive data. Pull servers use HTTPS, which encrypts data in transit. Consider encrypting it in storage as well by using tools like Bitlocker (Windows) and GnuPG (Linux) to enable OS-level encryption on the servers.

To create a pull relay server, you must first have an FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) server to function as the relay server. FTP and FTPS servers must be compliant with RFC 959 and RFC 2228 set by the Internet Engineering Task Force.

Important: The ports you configure when you create your FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) server must be the same ports you enter when creating a relay server in the Workspace ONE UEM console.

The process covers the installation of one server at a time. For a bulk installation, you must use a third-party application. Workspace ONE UEM supports importing servers in bulk through the Batch Import option. See Batch Import Relay Servers for more information.

Pull Service v2.0 versus v1.0

Pull Service v2.0 is based on Microsoft .NET Core and improves on the security and reliability of Pull Service v1.0. However, Pull Service v2.0 has more specific hardware requirements and requires Workspace ONE UEM 1903 or later. For more information about hardware requirements, see Configure .NET Core Pull Relay Server, PS v2.0.

Consider using Pull Service v2.0 if you meet these requirements.