Configuring Proxies and Firewalls for Apple MDM access

Recently I’ve been looking into configuration for firewalls and proxy in order to get MDM servers working properly. Its been rumoured for a while that Apple has been using third party servers to do some of its validation and content hosting.

Opening your network to the 17 Class A range used to fix all issues, but now that might not be the case.
So far this is the information we’ve found about the servers and ports used by Apple and other MDM solutions:

Firewall setup

Ports that need opening on the firewall to the 17 Class A range (

  • TCP port 5223 for communication with the APNsM
  • TCP port 443 as a failover access to the APNs if 5223 can’t be accessed

Ports that need opening for MDM access

  • TCP port 2195: sending messages to the APNs
  • TCP port 2196: connection to the APNs for feedbacks

Proxy setup

For Activation



  • – for corporate apps
  • and – for certificates
  • and – certificates and authentications during device restore and activation

Content download

  • * – iTunes content
  • deimos * – iTunes U content
  • * – Apple Content Delivery Network
  • * and * – content delivery network
  • * and * – content delivery network (cache)
  • * – illustrations of the blinds (covers, extracts, icons …)


  • – firmware iOS – searches – iOS Signature Validation – iOS updates – app updates


  • *


  • – iTunes Services
  • – validation of credit cards and accounts – statistics


  • – sending notification to the APNs
  • – send feedback to the APNs
  • * – APNs for all iOS push notifications

We found this information from a variety of sources including: Apple iOS Deployment documentation, a very interesting document found on the web by Antoine Moussy @ Academie Versailles and also from the traffic on our firewall.
If your trying to setup an MDM solution, Amsys has created a nice iOS app that can help you test the connections to your server and Apple’s servers –