Configuring your network for MDM
When you install an MDM solution, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may handle many of these items on your behalf:
DNS: An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organization’s network. This lets the server manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.
IP address: Most MDM solutions require a static IP address. The existing DNS name must persist if the server’s IP address is changed.
Configure MDM with TLS: All communications between Apple devices and the MDM solution are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.
Firewall ports: To enable both internal and external access to the MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and the devices must communicate with the Apple Push Notification service. The MDM solution uses ports 2195 and 2196 with APNs; clients use port 5223.