Systems Manager Firewall Rules
Clieck 日本語 for Japanese
Cisco Meraki Systems Manager (SM) provides the ability to push applications and settings payloads to mobile and desktop devices, as well as view monitoring information from the Cisco Meraki Dashboard. In order to do this, these devices need to communicate with the Cisco Meraki Cloud, and additional connectivity depending on the device. Android and iOS devices, for example, need to communicate directly with Google and Apple servers in order to facilitate proper device management.
This article provides additional detail on the SM-specific firewall configurations for end-user devices connecting to a local network, and not connectivity for Dashboard or other products. For general info on Dashboard cloud connectivity, see this article.
Firewall Rule Details
All rules listed below are outbound.
| Destination IPs | Ports | Protocol | Description |
|---|---|---|---|
| ios.meraki.com | 443 | TCP | iOS Client Communication**** |
| *.meraki.com | 443 | TCP | Meraki-hosted Content |
| [IP address]*/32 [Subnet A]*/24 [Subnet B]* 209.206.48.0/20 |
443 | TCP | SM Agent Communication, iOS Client Communication, iOS MDM App communication |
| 993 | TCP |
SM Agent Communication (Mac/Win10) |
|
| 60000-61000 | TCP | SM Agent Remote Desktop (Mac/Win10) | |
| 17.0.0.0/8 | 443 | TCP | iOS Connection Monitoring, App Store Fetches |
| 2195-2196 | TCP | iOS Client Communication | |
| 5223 | TCP | iOS APNS Communication | |
| Any | 443 | TCP | Android Connection Monitoring** |
| 5228-5230 | TCP | Google Play Store Communication** | |
| 80, 443 | TCP | iOS/Android Backpack File Storage*** | |
| iOS WebClips*** | |||
| Software Installer File Downloads*** |
*These addresses/subnets are your current primary/secondary/tertiary Dashboard IPs/Subnets.
**Google publishes additional info on their Play Store CDNs here and here, but does not have a set list of confirmed IPs/Domains, so communications cannot be guaranteed with more restrictive rules.
***These features use URLs you specify, and as such we cannot pre-determine what their IPs are at any given time. Please ensure you aren't firewalling off files you are configuring your clients to access.
****ios.meraki.com is heavily loadbalanced, and it's endpoint IPs may change based on a client's location and/or other factors.
Reducing Firewall Exceptions
For organizations aiming to reduce the number of whitelist rules on the firewall, port/IP ranges may be closed up based on the enrolled device mix.
- For example, 993 and 60000 are used only for Macs and Windows 10 desktops with the SM agent enrolled.
- Similarly, 5228-5230 is only used for Android devices.
- Port 80 can be closed if your webclip, software, and backpack files aren't hosted on non-HTTPS sites.
- The 17.0.0.0/8 subnet is needed to reach Apple's megaproxies, and APNS is used specifically to wake and communicate with Apple devices.
Restricting 443 for the Meraki and Apple domains is not recommended and may severly hinder device and Dashboard functionality. The meraki.com domain uses a dynamic list of IP addresses that cannot be broken into discrete IP ranges. If using domain-based whitelisting for ios.meraki.com and *.meraki.com (or at least n#.meraki.com), be prepared to holepunch additional IPs to open up any SM connection attempts that may potentially be blocked.