Overview
A fully operational MDM setup requires a set of CapaInstaller services that are deployed correctly in the company network infrastructure. Consult the illustration and tables below when setting up your network for CapaInstaller MDM.
| Table of Contents | ||
|---|---|---|
|
Services
Service | Port Number | Data Type | Direction | Destination DNS URL |
|---|
- Outgoing | Description | ||
|---|---|---|---|
cimdm | 443 (SSL) | TCP | PUBLIC -> DMZ |
mobile devices get configurations and |
applications | ||
cimdm | 443 (SSL) | TCP |
Devices
Services
Service
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
443 (SSL)
TCP
Public -> DMZ
CapaInstaller DMZ server
cimdm
8443 (SSL) OMA DM Protocol
TCP
Public -> DMZ
CapaInstaller DMZ server
DMZ → PUBLIC | Gateway for: Apple Push Network Service (APNS): http://support.apple.com/kb/TS4264 Google Cloud Messaging: http://en.wikipedia.org/wiki/Google_Cloud_Messaging Microsoft Open Mobile Alliance (OMA): | ||||
| Self Selfvice Portal | 9443(SSL) | TCP | PUBLIC -> DMZ | Used to access the Self-Service portal from the devices | |
cibackend | 5023 (CapaInstaller MDM default) | TCP | DMZ |
CapaInstaller Backend server
→ SERVER | cimdm get profiles and configurations | ||
cifrontend | 5022 (CapaInstaller Public Frontend Default) | TCP | DMZ |
CapaSystems server
7000 (CapaSystems server)
TCP
LAN -> Public
certservice.capainstaller.com
CapaInstaller frontend service
80 (HTTP)
TCP
→ SERVER | cimdm authenticates users when enrolling devices | |||
| cifrontend | 80 | TCP | SERVER → PUBLIC | download.capainstaller.com |
All devices
443 (SSL)
TCP
LAN -> Public
*
Service
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
2195 (Apple server)
TCP
DMZ -> Public
cimdm
2196 (Apple server)
TCP
DMZ -> Public
Service
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
5228 (Google server)
TCP
DMZ -> Public
cimdm
5229 (Google server)
TCP
DMZ -> Public
cimdm
5230 (Google server)
TCP
DMZ -> Public
Services
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
443 (Microsoft server)
TCP
DMZ -> Public
cimdm
7000 (Capasystems server)
TCP
DMZ -> Public
Devices
| retrieve updated information about device models and versions |
Devices
Communication from end user devices to services to support mobile device management
Devices | Port Number | Data Type | Direction |
|---|
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
Description | |||
|---|---|---|---|
All devices | 443 (SSL) | TCP | LAN -> Public |
*
| Used for secure communication between iOS devices and the MDM server. | |||
| All devices | 8443 | TCP | LAN -> Public |
Devices | Port Number | Data Type | DirectionOrigin DNS URL if Incoming | Destination DNS URL if Outgoing | ReferenceDescription |
|---|---|---|---|---|---|
Android devices | 5228 (Google server) | TCP | LAN -> Public | GThis port is used for communication between Android devices and Google Cloud Messaging (GCM), which is used for sending push notifications and other data to Android devices. | |
Android devices | 5229 (Google server) | TCP | LAN -> Public | GThis port is used for communication between Android devices and GCM over a secure connection. | |
Android devices | 5230 (Google server) | TCP | LAN -> Public | GThis port is used for communication between Android devices and GCM for sending and receiving multicast messages. | |
| Android devices | 443 (Google server) | TCP | LAN -> Public | G |
Devices
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
| This port is used for secure communication between Android devices and the MDM server. | ||||
| Apple devices | 2195 (Apple server) | TCP | LAN -> Public | gateway.push.apple.com |
| Used for sending push notifications to iOS devices. | ||||
| Apple devices | 2196 (Apple server) | TCP | LAN -> Public | feedback.push.apple.com |
| Used by the APNs Feedback Service to send feedback to the MDM server about failed push notifications. | |||
| Apple devices | 5223 (Apple server) | TCP | LAN -> Public |
Devices
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
| Used for communication between iOS devices and the APNs. It is also used for device activation. | |||
| Windows Phone device | 443 (Microsoft server) | TCP | LAN -> Public |
https://capawiki.capasystems.com/display/CI64DOC/MDM+Network+Ports
Services and Clients
Description of the components from the illustration and reference tables
Services
SCEP Service
Simple Certificate Enrollment Protocol http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol
The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend). During enrollment the device will communicate with the SCEP service, so it needs to be accessible at the configured port (eg. port =1640).
MDM Service (Mobile Device Management)
The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend).
The MDM service uses the DMZ Front-end Service. The Url can be found from the Frontend service configuration (http://mdm.example.com:xx/cifrontend).
The MDM service depends on two certificates (Apple certificate and SSL certificate) that are stored in the server's local certificate store (not the user store).
The MDM service hosts an enrollment homepage at URL: https://mdm.example.com/cimdm.
The MDM service communicates with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264
The MDM service communicates with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging
DMZ Frontend Service
The administrator must allow access through the firewall from the DMZ to the CapaInstaller internal Front-end Service. The URL can be found from the Frontend service configuration (http://ciserver.example.com:xx/cifrontend).
Back-end service
The Backend service communicates with the Active Directory, so it needs access to this, especially if AD lookup is required. The Backend service communicates with the CapaInstaller database.
Clients
Mobile Devices on public network
The mobile devices communicate with the MDM service through the main URL: https://mdm.example.com/cimdm
The mobile devices communicate with the SCEP service through the main URL: http://mdm.example.com:5024/
The mobile devices communicate with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264
The mobile devices communicate with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging
The mobile devices communicate with the MDM service through the OMA URL: http://mdm.example.com:8443/ [Open Mobile Alliance (OMA) Device Management (DM) server (https://en.wikipedia.org/wiki/OMA_Device_Management)]
Computers on public network
The computers communicate with the DMZ Front-end service http://mdm.example.com:xx/cifrontend
LAN Mobile Devices
The devices will communicate just like the Mobile Devices on Public networks (see above).
LAN Computers
The computers communicate with the Internal Front-end service http://ciserver.example.com:xx/cifrontend
Unless the internal WiFi allows connection to the Internal Front-end service, computers that use WiFi may connect to the DMZ Front-end through the Public network
Third party services
Apple Push Network Service
(APNS). http://support.apple.com/kb/TS4264
Google Cloud Messaging.
http://en.wikipedia.org/wiki/Google_Cloud_Messaging