Configuring your network for MDM with Apple devices
When installing and configuring your MDM solution, there are important considerations for configuring the network, Transport Layer Security (TLS), infrastructure services, Apple services, and backup.
When you install a locally hosted MDM solution, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may handle many of these items on your behalf:
DNS: An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organization’s network. This lets the server manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.
IP address: Most MDM solutions require a static IP address. The existing DNS name must persist if the server’s IP address is changed.
Configure MDM with TLS: All communications between Apple devices and the MDM solution are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.
Firewall ports: To enable both internal and external access to the MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and the devices must communicate with the Apple Push Notification service. Prior to November, 2020, MDM solutions use ports 2195 and 2196 with APNs; clients use port 5223. After November 2020, MDM solutions use port 2197.