Skip to main content
Cisco Meraki Documentation

Systems Manager Firewall Rules

Clieck 日本語 for Japanese

Cisco Meraki Systems Manager (SM) provides the ability to push applications and settings payloads to mobile and desktop devices, as well as view monitoring information from the Cisco Meraki Dashboard. In order to do this, these devices need to communicate with the Cisco Meraki Cloud, and additional connectivity depending on the device.  Android and iOS devices, for example, need to communicate directly with Google and Apple servers in order to facilitate proper device management.

This article provides additional detail on the  SM-specific firewall configurations for end-user devices connecting to a local network, and not connectivity for Dashboard or other products. For general info on Dashboard cloud connectivity, see this article.

Firewall Rule Details

All rules listed below are outbound.

Destination IPs Ports Protocol Description 443 TCP iOS Client Communication****
* 443 TCP Meraki-hosted Content 
[IP address]*/32
[Subnet A]*/24
[Subnet B]*
443 TCP SM Agent Communication, iOS Client Communication, iOS MDM App communication
993 TCP

SM Agent Communication (Mac/Win10)

60000-61000 TCP SM Agent Remote Desktop (Mac/Win10) 443 TCP iOS Connection Monitoring, App Store Fetches
2195-2196 TCP iOS Client Communication
5223 TCP iOS APNS Communication
Any 443 TCP Android Connection Monitoring**
5228-5230 TCP Google Play Store Communication**
80, 443 TCP iOS/Android Backpack File Storage***
iOS WebClips***
Software Installer File Downloads***

*These addresses/subnets are your current primary/secondary/tertiary Dashboard IPs/Subnets.   

**Google publishes additional info on their Play Store CDNs here and here, but does not have a set list of confirmed IPs/Domains, so communications cannot be guaranteed with more restrictive rules.

***These features use URLs you specify, and as such we cannot pre-determine what their IPs are at any given time.  Please ensure you aren't firewalling off files you are configuring your clients to access.

**** is heavily loadbalanced, and it's endpoint IPs may change based on a client's location and/or other factors. 

Reducing Firewall Exceptions

For organizations aiming to reduce the number of whitelist rules on the firewall, port/IP ranges may be closed up based on the enrolled device mix.

  • For example, 993 and 60000 are used only for Macs and Windows 10 desktops with the SM agent enrolled.
  • Similarly, 5228-5230 is only used for Android devices.
  • Port 80 can be closed if your webclip, software, and backpack files aren't hosted on non-HTTPS sites. 
  • The subnet is needed to reach Apple's megaproxies, and APNS is used specifically to wake and communicate with Apple devices.

Restricting 443 for the Meraki and Apple domains is not recommended and may severly hinder device and Dashboard functionality. The domain uses a dynamic list of IP addresses that cannot be broken into discrete IP ranges. If using domain-based whitelisting for and * (or at least, be prepared to holepunch additional IPs to open up any SM connection attempts that may potentially be blocked.