TCP/IP Port requirements

For BigFix MDM Server and BigFix PlugIn Portal to communicate properly with the devices that you manage, it is essential to configure the necessary TCP/IP ports. This section provides a comprehensive list of the required ports for managing your devices effectively.

Port Number Type Purpose Direction
443 HTTPS

All device enrollment and management requests are sent to this port. This must be an internet-facing port for the endpoints to reach the enrollment server.

Inbound to the MDM Server from the network where MDM managed endpoints are located.

443 HTTPS MDM Server to Offline Domain Join Server Inbound to the Offline Domain Join Server specifically for requests from the MDM Server
443 HTTPS For sending messages from MDM Server to notification services and identity service.
  • Android MDM Server to Google APIs
  • Apple MDM Server to APNs
  • Windows MDM Server to WNS 1
 Outbound from MDM server to:
  • WNS
  • Google APIs
  • APNs
  • Azure Active Directory
  • Offline Domain Join server
  • Outbound from MDM server to Apple App store
  • Outbound from WebUI to Google Play for the Android app catalog
  • Outbound from WebUI to Windows App store for the windows app catalog
5671 AMQP

MDM Plugin receives the asynchronous notifications that the MDM Server gets from the enrolled devices through this port. This inbound port to the MDM Server must be opened for the Plugin Portal server to establish the session and subsequently receive the device notifications.

 Inbound to the MDM Server from Plugin Portal server
8443 HTTPS For sending HTTPS requests to the MDM Server REST API. Inbound to the MDM Server from Plugin Portal server and WebUI
636 LDAPS For Active Directory to securely authenticate end users during enrollment. Outbound from MDM Server to the Customer LDAP
389 LDAP For Active Directory insecure authentication of end users during enrollment.
Note: In case the Active Directory secure port is not enabled, the default insecure port is 389. For best results, use the LDAPS (secure communication) with Active Directory.
 Outbound from the MDM Server to Customer LDAP
2195* TCP Backup port for sending messages from the MDM Server to APNs. Outbound from the MDM Server to the APNs Server (Internet).
2196* TCP Used by the MDM Server to connect to APNs for feedback. Outbound from the MDM Server to the APNs Server (Internet).
5223 TCP For sending messages to APNS from the computers in your network. Outbound from Mac devices (whichever network they are on) to the APN Server (Internet).
8080 TCP For internal NDES configuration or as configured in the SCEP URL in the fixlet Configure settings for SCEP functionality on MDM server Outbound from MDM Server to SCEP

*To ensure reliable Apple MDM server communication, allow outbound connections from the MDM Server to the Apple 17.0.0.0/8 block over TCP ports 2195 and 2196.

1 The WNS push messages are sent to https://wns2-bl2p.notify.windows.com/. For Windows WNS Firewall recommendations, see https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/firewall-allowlist-config