Overview
A fully operational MDM setup requires a To have a fully functional Mobile Device Management system, it is necessary to have a properly deployed set of CapaInstaller services that are deployed correctly in within the company network infrastructure. Consult the illustration and tables below when setting up your network for CapaInstaller MDM.
| Table of Contents | ||
|---|---|---|
|
Network Ports Reference
The following illustration with referencing tables contains information about network ports used by CapaInstaller Mobile Device Management.
The referenced ports for CapaInstaller services are the default values. If the defaults are changed, refer to the port set in the service configuration.
If you have other isolated LAN zones, for example a separate WIFI zone, port openings for these zones should be the same as the LAN port openings
's network infrastructure.
Services
Service |
|---|
Port Number | Data Type | Direction |
|---|
Destination DNS URL |
|---|
- Outgoing |
|---|
Description | ||
|---|---|---|
cimdm | 443 (SSL) | TCP |
Public -> DMZ
CapaInstaller DMZ server
PUBLIC → DMZ | Mobile devices retrieve configurations and applications | |
cimdm |
443 (SSL) |
TCP |
Public -> DMZ
CapaInstaller DMZ server
cibackend
5023 (CapaInstaller MDM default)
TCP
DMZ -> LAN
CapaInstaller Backend server
CapaSystems server
7000 (CapaSystems server)
TCP
LAN -> Public
certservice.capainstaller.com
CapaInstaller frontend service
80 (HTTP)
TCP
LAN -> Public
download.capainstaller.com
All devices
443 (SSL)
TCP
LAN -> Public
*
Service
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
2195 (Apple server)
TCP
DMZ -> Public
cimdm
2196 (Apple server)
TCP
DMZ -> Public
Service
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
5228 (Google server)
TCP
DMZ -> Public
cimdm
5229 (Google server)
TCP
DMZ -> Public
cimdm
5230 (Google server)
TCP
DMZ -> Public
Services
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
cimdm
443 (Microsoft server)
TCP
DMZ -> Public
cimdm
7000 (Capasystems server)
TCP
DMZ -> Public
Devices
DMZ → PUBLIC | Gateway for: Apple Push Network Service (APNS): http://support.apple.com/kb/TS4264 Google Cloud Messaging: http://en.wikipedia.org/wiki/Google_Cloud_Messaging Microsoft Open Mobile Alliance (OMA): | ||||
| Self Service Portal | 9443(Default) | TCP | PUBLIC → DMZ | Used to access the Self-Service portal from the devices | |
cibackend | 5023 (Default) | TCP | DMZ → SERVER | cimdm get profiles and configurations | |
cifrontend | 5022 (Default) | TCP | DMZ → SERVER | cimdm authenticates users when enrolling devices | |
| cifrontend | 443 (SSL) | TCP | SERVER → PUBLIC | download.capainstaller.com | Retrieve updated information about device models and versions |
Devices
For end-user devices to support mobile device management, the devices must communicate with different network services
Devices | Port Number | Data Type | Direction |
|---|
Origin DNS URL if Incoming
Destination DNS URL |
|---|
- Outgoing |
|---|
Description | |||
|---|---|---|---|
| All devices | 443 (SSL) | TCP | LAN |
*
Devices
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
| → PUBLIC | DMZ Server | Used for secure communication between iOS devices and the MDM server. | |
Android devices | 5228 (Google server) | TCP | LAN |
→ PUBLIC |
| This port is used for communication between Android devices and Google Cloud Messaging (GCM), which sends push notifications and other data to Android devices. | |||
Android devices | 5229 (Google server) | TCP | LAN |
→ PUBLIC |
| This port is used for communication between Android devices and GCM over a secure connection. | |||
Android devices | 5230 (Google server) | TCP | LAN |
→ PUBLIC |
| This port is used for communication between Android devices and GCM for sending and receiving multicast messages. | |||
| Android devices | 443 (Google server) | TCP | LAN |
| → PUBLIC |
Devices
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
| This port is used for secure communication between Android devices and the MDM server. | |||
| Apple devices | 2195 (Apple server) | TCP | LAN |
| → PUBLIC | gateway.push.apple.com |
| Used for sending push notifications to iOS devices. | |||
| Apple devices | 2196 (Apple server) | TCP | LAN |
| → PUBLIC | feedback.push.apple.com |
Devices
Port Number
Data Type
Direction
Origin DNS URL if Incoming
Destination DNS URL if Outgoing
Windows Phone devices
TCP
LAN -> Public
https://capawiki.capasystems.com/display/CI64DOC/MDM+Network+Ports
Services and Clients
Description of the components from the illustration and reference tables
Services
SCEP Service
Simple Certificate Enrollment Protocol http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol
The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend). During enrollment the device will communicate with the SCEP service, so it needs to be accessible at the configured port (eg. port =1640).
MDM Service (Mobile Device Management)
The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend).
The MDM service uses the DMZ Front-end Service. The Url can be found from the Frontend service configuration (http://mdm.example.com:xx/cifrontend).
The MDM service depends on two certificates (Apple certificate and SSL certificate) that are stored in the server's local certificate store (not the user store).
The MDM service hosts an enrollment homepage at URL: https://mdm.example.com/cimdm.
The MDM service communicates with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264
The MDM service communicates with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging
DMZ Frontend Service
The administrator must allow access through the firewall from the DMZ to the CapaInstaller internal Front-end Service. The URL can be found from the Frontend service configuration (http://ciserver.example.com:xx/cifrontend).
Back-end service
The Backend service communicates with the Active Directory, so it needs access to this, especially if AD lookup is required. The Backend service communicates with the CapaInstaller database.
Clients
Mobile Devices on public network
The mobile devices communicate with the MDM service through the main URL: https://mdm.example.com/cimdm
The mobile devices communicate with the SCEP service through the main URL: http://mdm.example.com:5024/
The mobile devices communicate with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264
The mobile devices communicate with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging
The mobile devices communicate with the MDM service through the OMA URL: http://mdm.example.com:8443/ [Open Mobile Alliance (OMA) Device Management (DM) server (https://en.wikipedia.org/wiki/OMA_Device_Management)]
Computers on public network
The computers communicate with the DMZ Front-end service http://mdm.example.com:xx/cifrontend
LAN Mobile Devices
The devices will communicate just like the Mobile Devices on Public networks (see above).
LAN Computers
The computers communicate with the Internal Front-end service http://ciserver.example.com:xx/cifrontend
Unless the internal WiFi allows connection to the Internal Front-end service, computers that use WiFi may connect to the DMZ Front-end through the Public network
Third party services
Apple Push Network Service
(APNS). http://support.apple.com/kb/TS4264
Google Cloud Messaging.
http://en.wikipedia.org/wiki/Google_Cloud_Messaging
| Used by the APNs Feedback Service to send feedback to the MDM server about failed push notifications. | |||||
| Apple devices | 5223 (Apple server) | TCP | LAN → PUBLIC | Used for communication between iOS devices and APNs. It is also used for device activation. | |
| Windows Phone device | 443 (Microsoft server) | TCP | LAN → PUBLIC |