Skip to main content

 

Cisco Meraki Documentation

Systems Manager Firewall Rules

Clieck 日本語 for Japanese

Cisco Meraki Systems Manager (SM) provides the ability to push applications and settings payloads to mobile and desktop devices, as well as view monitoring information from the Cisco Meraki Dashboard. In order to do this, these devices need to communicate with the Cisco Meraki Cloud, and additional connectivity depending on the device.  Android and iOS devices, for example, need to communicate directly with Google and Apple servers in order to facilitate proper device management.

This article provides additional detail on the  SM-specific firewall configurations for end-user devices connecting to a local network, and not connectivity for Dashboard or other products. For general info on Dashboard cloud connectivity, see this article.

Firewall Rule Details

All rules listed below are outbound.

Destination IPs Ports Protocol Description
ios.meraki.com 443 TCP iOS Client Communication****
*.meraki.com
*.meraki.net
443 TCP Meraki-hosted Content 
[IP address]*/32
[Subnet A]*/24
[Subnet B]*
209.206.48.0/20
443 TCP SM Agent Communication, iOS Client Communication, iOS MDM App communication
993 TCP

SM Agent Communication (Mac/Win10)

60000-61000 TCP SM Agent Remote Desktop (Mac/Win10)
17.0.0.0/8 443 TCP iOS Connection Monitoring, App Store Fetches
2195-2196 TCP iOS Client Communication
5223 TCP iOS APNS Communication
Any 443 TCP Android Connection Monitoring**
5228-5230 TCP Google Play Store Communication**
80, 443 TCP iOS/Android Backpack File Storage***
iOS WebClips***
Software Installer File Downloads***

*These addresses/subnets are your current primary/secondary/tertiary Dashboard IPs/Subnets.   

**Google publishes additional info on their Play Store CDNs here and here, but does not have a set list of confirmed IPs/Domains, so communications cannot be guaranteed with more restrictive rules.

***These features use URLs you specify, and as such we cannot pre-determine what their IPs are at any given time.  Please ensure you aren't firewalling off files you are configuring your clients to access.

****ios.meraki.com is heavily loadbalanced, and it's endpoint IPs may change based on a client's location and/or other factors. 

Reducing Firewall Exceptions

For organizations aiming to reduce the number of allow list rules on the firewall, port/IP ranges may be closed up based on the enrolled device mix.

  • For example, 993 and 60000 are used only for Macs and Windows 10 desktops with the SM agent enrolled.
  • Similarly, 5228-5230 is only used for Android devices.
  • Port 80 can be closed if your webclip, software, and backpack files aren't hosted on non-HTTPS sites. 
  • The 17.0.0.0/8 subnet is needed to reach Apple's megaproxies, and APNS is used specifically to wake and communicate with Apple devices.

Restricting 443 for the Meraki and Apple domains is not recommended and may severly hinder device and Dashboard functionality. The meraki.com domain uses a dynamic list of IP addresses that cannot be broken into discrete IP ranges. If using domain-based allow listing for ios.meraki.com and *.meraki.com (or at least n#.meraki.com), be prepared to holepunch additional IPs to open up any SM connection attempts that may potentially be blocked.

Addresses and Ports to Allow

A complete list of destination IP addresses, ports, and their respective purposes can be found in dashboard under Help > Firewall info

This list changes dynamically depending on the devices and services added on the dashboard as well as the region the organization is located. The below example will not necessarily reflect your networks' unique requirements.

Upstream firewall rules for cloud connectivity

Download rules to CSV

Below the firewall rules section is a Download button with two options: Rules as CSV and Unfiltered rules as CSV. Rules as CSV will download in the same format as shown in dashboard in which rule consolidation takes place. For example multiple functions using TCP 443 will be combined into one rule. If you download the CSV as Unfiltered rules as CSV the rule set is not combined and shows the each specific function and the corresponding requirements for source, destination, ports, protocol, etc.