This article provides a comprehensive guide on how to set up your network effectively for Android Enterprise Mobility Management (EMM) devices. Proper network configuration is crucial to ensure seamless operation and management of Android devices within your organization's infrastructure.
Firewall Rules
In general, Android devices do not require any inbound ports to be opened on the network to function. However, IT Administrators need to be aware of specific outbound connections that must be configured when setting up network environments for Android Enterprise.
Outbound Connections and Endpoints
There are several endpoints associated with the Android Management API and Play EMM API, including both current and legacy versions. It's important to note that you can safely block port 80 for these URLs, as most of these endpoints are not directly browsable. The relevant outbound connections include:
- Android Management API Endpoints: Essential for device management and policy enforcement.
- Play EMM API Endpoints: Required for application deployment and management.
Whether your EMM solution is implemented using the Android Management API or Play EMM API, the firewall rules outlined here will be applicable. Ensure that your network allows traffic to these endpoints.
SSL Inspection
Traffic to these endpoints must bypass SSL inspection. Intercepted traffic to Google services can be misinterpreted as a man-in-the-middle attack, which could lead to blocked connections. It's vital to configure your SSL inspection settings to allow unhindered communication with Google services.
Manufacturer-Specific Ports
It is advisable to contact your device manufacturer for any additional ports that may be required. Device manufacturers (OEMs) often have specific hosts that devices need to reach to function correctly. Ensuring these connections are open is essential for the smooth operation of your Android devices.
Device Requirements
Here are the specific configurations needed for devices within your network:
EMM Consoles
If your EMM console is located on-premise, additional network considerations are necessary to facilitate the creation and management of a Managed Google Play Enterprise and access to the Managed Google Play iFrame. This iFrame is provided by Google for EMM developers to approve apps and streamline searches.
Network Access for Managed Play iFrame
The destinations listed below must be accessible from your network to ensure proper functionality:
Static IP Configuration
When configuring your network, it's important to allow your firewall to accept outgoing connections to all addresses contained within Google's Autonomous System Number (ASN) 15169. Unfortunately, Google does not provide specific IP addresses for its endpoints, so allowing access to the entire ASN range is necessary.
You can find the list of IP blocks associated with Google's ASN here.
Setting up your network to accommodate Android EMM devices requires careful attention to firewall rules, SSL inspection, and specific manufacturer requirements. By following the guidelines outlined in this article, you can ensure that your Android devices function smoothly within your organization's network.
For any additional information or assistance, please contact your device manufacturer or reach out to our support team.
We hope you found this guide helpful.
Thank you for reading! 🙂