Home > Endpoint Management > Other Topics > Systems Manager Firewall Rules

Systems Manager Firewall Rules

Cisco Meraki Systems Manager (SM) provides the ability to push applications and settings payloads to mobile and desktop devices, as well as view monitoring information from the Cisco Meraki Dashboard. In order to do this, these devices need to communicate with the Cisco Meraki Cloud, and additional connectivity depending on the device.  Android and iOS devices, for example, need to communicate directly with Google and Apple servers in order to facilitate proper device management.

This article provides additional detail on the  SM-specific firewall configurations for end-user devices connecting to a local network, and not connectivity for Dashboard or other products. For general info on Dashboard cloud connectivity, see this article.

Firewall Rule Details

All rules listed below are outbound.

Destination IPs Ports Protocol Description
ios.meraki.com 443 TCP iOS Client Communication****
*.meraki.com 443 TCP Meraki-hosted Content 
[IP address]*/32
[Subnet A]*/24
[Subnet B]*
209.206.48.0/20
443 TCP SM Agent Communication, iOS Client Communication, iOS MDM App communication
993 TCP

SM Agent Communication (Mac/Win10)

60000-61000 TCP SM Agent Remote Desktop (Mac/Win10)
17.0.0.0/8 443 TCP iOS Connection Monitoring, App Store Fetches
2195-2196 TCP iOS Client Communication
5223 TCP iOS APNS Communication
Any 443 TCP Android Connection Monitoring**
5228-5230 TCP Google Play Store Communication**
80, 443 TCP iOS/Android Backpack File Storage***
iOS WebClips***
Software Installer File Downloads***

*These addresses/subnets are your current primary/secondary/tertiary Dashboard IPs/Subnets.   

**Google publishes additional info on their Play Store CDNs here and here, but does not have a set list of confirmed IPs/Domains, so communications cannot be guaranteed with more restrictive rules.

***These features use URLs you specify, and as such we cannot pre-determine what their IPs are at any given time.  Please ensure you aren't firewalling off files you are configuring your clients to access.

****ios.meraki.com is heavily loadbalanced, and it's endpoint IPs may change based on a client's location and/or other factors. 

Reducing Firewall Exceptions

For organizations aiming to reduce the number of whitelist rules on the firewall, port/IP ranges may be closed up based on the enrolled device mix.

  • For example, 993 and 60000 are used only for Macs and Windows 10 desktops with the SM agent enrolled.
  • Similarly, 5228-5230 is only used for Android devices.
  • Port 80 can be closed if your webclip, software, and backpack files aren't hosted on non-HTTPS sites. 
  • The 17.0.0.0/8 subnet is needed to reach Apple's megaproxies, and APNS is used specifically to wake and communicate with Apple devices.

Restricting 443 for the Meraki and Apple domains is not recommended and may severly hinder device and Dashboard functionality. The meraki.com domain uses a dynamic list of IP addresses that cannot be broken into discrete IP ranges. If using domain-based whitelisting for ios.meraki.com and *.meraki.com (or at least n#.meraki.com), be prepared to holepunch additional IPs to open up any SM connection attempts that may potentially be blocked.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6620

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community