MDM On Premises Workflow

Architecture
Port details
Set up and Enroll mobile devices

Architecture

ManageEngine Mobile Device Manager Plus can be used to deploy configuration settings, security commands and retrieve asset data over-the-air (OTA).

Fig : Mobile Device Manager Plus- Architecture

All Communications from Mobile Device Manager Plus to the mobile device will be routed through intermediate services such as APNs for iOS devices and FCM for android devices. A live TCP connection is maintained for intermediate service. APNs, FCM and WNS acts an intermediate wake up service to wake up the device whenever an action is triggered to be performed from the Mobile Device Manager Plus. But WNS is used only for devices running Windows 8.1 and is not available for mobile devices running Window 8 OS. Managed mobile device communicates with Mobile Device Manager Plus to receive the instructions and report back the status and data. For the above setup to work, the following should be done.

Assuming users' mobility, Mobile Device Manager Plus Server should be reachable via public IP address. If you are installing Mobile Device Manager Plus Server in the LAN, add an entry in your external router to route the requests to your public IP to the internal IP of the computer where Mobile Device Manager Plus Server is installed. If all the devices managed are within the LAN, this requirement is not needed.

Port Details

Ports that needs to be opened at Mobile Device Manager Plus Server.

These ports needs to be opened at the Mobile Device Manager Plus server irrespective of the operating systems of the mobiles devices.

9383 - Used for secured communication between the ME MDM app and the Mobile Device Manager Plus. (HTTPS port)
443 - Used for secured communication between the Mobile Device Manager Plus server and the FCM and WNS server. (HTTPS port)

Ports that needs to be opened on the server for managing iOS devices

The following URLs, api.push.apple.com:443 and gateway.push.apple.com:2195 and - Should be white listed for the MDM Server to contact Apple Push Notification Services(APNs)
5223 - If the mobile device connects to the internet through the WiFi, then this port should be opened. For better security, you can restrict these connections on the IP range 17.0.0.0/8. If all the managed devices have access to cellular data network, this requirement is not needed (HTTPS port).

Ports that needs to be opened on the server for managing Android devices

Port numbers 5228, 5229, 5230 (HTTPS port). should be open on the fire wall, if the mobile device connects to the internet through WiFi. This enables communication between the mobile devices and the FCM. As FCM doesn't provide specific IPs, you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.

Domain exceptions

Ensure Mobile Device Manager Plus server has permission to reach the following domains:

https://login.live.com,
https://gateway.push.apple.com,
https://android.googleapis.com,
http://creator.zoho.com
https://*.notify.windows.com.
gslb.secb2b.com:443 (only for United States)
us-elm.secb2b.com:443 (only for United States)
us-knox.secb2b.com:443 (only for United States)
china-gslb.secb2b.com.cn:443 (only for China)
china-elm.secb2b.com.cn:443 (only for China)
china-knox.secb2b.com.cn:443 (only for China)
gslb.secb2b.com:443 (Except United States and China)
eu-elm.secb2b.com:443 (Except United States and China)
eu-knox.secb2b.com:443 (Except United States and China)

For more details on ports and type of traffic, refer this.

Setting up and Enrolling the mobile devices:

iOS devices

Android devices

Setting up Knox devices

Setting Up Windows devices

ManageEngine