Android Enterprise Network Requirements for SOTI MobiControl
SOTI MobiControl uses the following hosts and ports to ensure fully functional Android Enterprise devices.
Firewall Rules
Android devices usually do not require open, inbound ports on the network to function correctly. However, administrators must be aware of a number of outbound connections when setting up their network environments for Android Enterprise.
This list is subject to change. This list covers known endpoints for current and past versions of enterprise management APIs. The majority of these APIs are not browsable. You can block port 80 for these URLs (they are all behind SSL).
The rules contained here apply regardless of whether you implement your EMM solution using the Play EMM API or Android Management API.
Traffic to these endpoints must also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and blocked.
Devices
Destination Host | TCP Ports | Purpose |
---|---|---|
play.google.com android.com google-analytics.com googleusercontent.com *gstatic.com *gvt1.com *.ggpht.com dl.google.com dl-ssl.google.com android.clients.google.com *gvt2.com *gvt3.com |
TCP/443 TCP, UDP/5228–5230 |
Google Play and updates
gstatic.com, googleusercontent.com - has user generated content (for example, app icons in the store)
*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com - Download apps and updates, Play Store APIs Play connectivity monitoring uses gvt2.com and gvt3.com for diagnostics. |
*.googleapis.com | TCP/443 | EMM/Google APIs/PlayStore APIs |
accounts.google.com accounts.google.[country] |
TCP/443 |
Authentication For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk. |
gcm-http.googleapis.com gcm-xmpp.googleapis.com android.googleapis.com |
TCP/443,5228–5230 | Google Cloud Messaging (for example, EMM Console <-> DPC communication, like pushing configs) |
fcm.googleapis.com fcm-xmpp.googleapis.com |
TCP/443,5228–5230 | Firebase Cloud Messaging (for example, Find My Device, EMM Console <-> DPC communication, like pushing configs). Does not work with proxies (see details here). |
fcm-xmpp.googleapis.com gcm-xmpp.googleapis.com
|
TCP/5235,5236 | When using persistent bidirectional XMPP connection to FCM and GCM servers |
pki.google.com clients1.google.com |
TCP/443 | Certificate Revocation list checks for Google-issued certificates |
clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com |
TCP/443 |
Domains shared by various Google back-end services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others
|
omahaproxy.appspot.com
|
TCP/443 | Chrome updates |
android.clients.google.com
|
TCP/443 | CloudDPC download URL used in NFC provisioning |
connectivitycheck.android.com www.google.com |
TCP/443 |
Connectivity check before CloudDPC v470 Android connectivity check starting with N MR1 requires https://www.google.com/generate_204 to be reachable, or for the given WiFi network to point to a reachable PAC file. |
Console
On-premise EMM consoles need to reach the destinations below from the network to create a Managed Google Play Enterprise, and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.
Communication from a MobiControl on-premise server should not go directly to Google. It should go to SOTI Services TLS 1.2:
• Activate2.soti.net:443
Destination Host | TCP Ports | Purpose |
---|---|---|
play.google.com www.google.com |
TCP/443 |
Google Play Store Play Enterprise re-enroll |
fonts.googleapis.com *.gstatic.com |
TCP/443 |
iFrame JS Google fonts User generated content (for example, app icons in the store) |
accounts.youtube.com accounts.google.com accounts.google.com.* |
TCP/443 |
Account Authentication Country-specific account auth domains |
fcm.googleapis.com | TCP/443,5228–5230 | Firebase Cloud Messaging (for example, Find My Device, EMM Console <-> DPC communication, like pushing configs) |
crl.pki.goog ocsp.pki.goog |
TCP/443 | Certificate Validation |
apis.google.com ajax.googleapis.com |
TCP/443 | GCM, other Google web services, and iFrame JS |
clients1.google.com payments.google.com google.com |
TCP/443 | App approval |
ogs.google.com | TCP/443 | iFrame UI elements |
notifications.google.com | TCP/443 | Desktop/Mobile Notifications |
Static IP
Google does not provide specific IP addresses for its service endpoints. To allow traffic based on IP, let your firewall accept outgoing connections to all addresses contained in the IP blocks listed in Google's ASN of 15169.
Note that the IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See peering.google.com for more information about Google’s Edge Network.