Android Enterprise Network Requirements for SOTI MobiControl

SOTI MobiControl uses the following hosts and ports to ensure fully functional Android Enterprise devices.

Tip: For the complete list of hosts and ports that Android Enterprise devices use, see Android Enterprise Network Requirements.

Firewall Rules

Android devices usually do not require open, inbound ports on the network to function correctly. However, administrators must be aware of a number of outbound connections when setting up their network environments for Android Enterprise.

This list is subject to change. This list covers known endpoints for current and past versions of enterprise management APIs. The majority of these APIs are not browsable. You can block port 80 for these URLs (they are all behind SSL).

The rules contained here apply regardless of whether you implement your EMM solution using the Play EMM API or Android Management API.

Traffic to these endpoints must also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and blocked.

Note: OEMs often have their own hosts that need to be accessible for their devices to function. Contact your OEM for any additionally required ports.

Devices

Destination Host TCP Ports Purpose

play.google.com

android.com

google-analytics.com

googleusercontent.com

*gstatic.com

*gvt1.com

*.ggpht.com

dl.google.com

dl-ssl.google.com

android.clients.google.com

*gvt2.com

*gvt3.com

TCP/443

TCP, UDP/5228–5230

Google Play and updates

gstatic.com, googleusercontent.com - has user generated content (for example, app icons in the store)

*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com - Download apps and updates, Play Store APIs

Play connectivity monitoring uses gvt2.com and gvt3.com for diagnostics.
*.googleapis.com TCP/443 EMM/Google APIs/PlayStore APIs

accounts.google.com

accounts.google.[country]

TCP/443

Authentication

For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

gcm-http.googleapis.com

gcm-xmpp.googleapis.com

android.googleapis.com

TCP/443,5228–5230 Google Cloud Messaging (for example, EMM Console <-> DPC communication, like pushing configs)

fcm.googleapis.com

fcm-xmpp.googleapis.com

TCP/443,5228–5230 Firebase Cloud Messaging (for example, Find My Device, EMM Console <-> DPC communication, like pushing configs). Does not work with proxies (see details here).

fcm-xmpp.googleapis.com

gcm-xmpp.googleapis.com

TCP/5235,5236 When using persistent bidirectional XMPP connection to FCM and GCM servers

pki.google.com

clients1.google.com

TCP/443 Certificate Revocation list checks for Google-issued certificates

clients2.google.com

clients3.google.com

clients4.google.com

clients5.google.com

clients6.google.com

TCP/443

Domains shared by various Google back-end services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others

omahaproxy.appspot.com

TCP/443 Chrome updates

android.clients.google.com

TCP/443 CloudDPC download URL used in NFC provisioning

connectivitycheck.android.com

www.google.com

TCP/443

Connectivity check before CloudDPC v470

Android connectivity check starting with N MR1 requires https://www.google.com/generate_204 to be reachable, or for the given WiFi network to point to a reachable PAC file.

Console

On-premise EMM consoles need to reach the destinations below from the network to create a Managed Google Play Enterprise, and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.

Communication from a MobiControl on-premise server should not go directly to Google. It should go to SOTI Services TLS 1.2:

• Activate2.soti.net:443

Destination Host TCP Ports Purpose

play.google.com

www.google.com

TCP/443

Google Play Store

Play Enterprise re-enroll

fonts.googleapis.com

*.gstatic.com

TCP/443

iFrame JS

Google fonts

User generated content (for example, app icons in the store)

accounts.youtube.com

accounts.google.com

accounts.google.com.*

TCP/443

Account Authentication

Country-specific account auth domains

fcm.googleapis.com TCP/443,5228–5230 Firebase Cloud Messaging (for example, Find My Device, EMM Console <-> DPC communication, like pushing configs)

crl.pki.goog

ocsp.pki.goog

TCP/443 Certificate Validation

apis.google.com

ajax.googleapis.com

TCP/443 GCM, other Google web services, and iFrame JS

clients1.google.com

payments.google.com

google.com

TCP/443 App approval
ogs.google.com TCP/443 iFrame UI elements
notifications.google.com TCP/443 Desktop/Mobile Notifications

Static IP

Google does not provide specific IP addresses for its service endpoints. To allow traffic based on IP, let your firewall accept outgoing connections to all addresses contained in the IP blocks listed in Google's ASN of 15169.

Note that the IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See peering.google.com for more information about Google’s Edge Network.

Note: For more information about changing port requirements, see the Android Enterprise Help documentation.