The following article has been designed for IT admins, to help them determine the best way to set up their networks for Android Enterprise devices.
Firewall Rules
Android devices generally do not require inbound ports opened on the network to function correctly. However, there are several outbound connections that IT admins should be aware of when setting up their network environments for Android Enterprise.
The following list is subject to change. It covers known endpoints for current and past versions of enterprise management APIs.
Note: Most of these endpoints are not browsable. Thus, you can safely block port 80 for these URLs since they’re all behind SSL.
Different apps and services require specific mandatory endpoints. A direct connection is required to reach all the endpoints successfully. If the devices are connected behind a proxy, direct communication is not possible and certain functions will fail.
The rules contained here apply regardless of whether your EMM solution is implemented using the Play EMM API or Android Management API.
Traffic to these endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be person-in-the-middle attacks and are blocked.
Devices
Destination Host | Ports | Purpose |
---|---|---|
play.google.com android.com google-analytics.com googleusercontent.com *gstatic.com *.gvt1.com *.ggpht.com dl.google.com dl-ssl.google.com android.clients.google.com *.gvt2.com *.gvt3.com |
TCP/443 TCP, UDP/5228-5230 |
Google Play and updates gstatic.com, googleusercontent.com - contains User-Generated Content (for example,. app icons in the store) *gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com - Download apps and updates, Play Store APIs gvt2.com and gvt3.com are used for Play connectivity monitoring and diagnostics. |
*.googleapis.com m.google.com |
TCP/443 | EMM/Google APIs/PlayStore APIs/Android Management APIs |
accounts.google.com accounts.google.[country] |
TCP/443 |
Authentication For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk. |
gcm-http.googleapis.com gcm-xmpp.googleapis.com android.googleapis.com |
TCP/443,5228-5230 | Google Cloud Messaging (e.g. EMM Console <-> DPC communication, like pushing configs) |
fcm.googleapis.com fcm-xmpp.googleapis.com firebaseinstallations.googleapis.com |
TCP/443,5228–5230 | Firebase Cloud Messaging (for example, . Find My Device, EMM Console <-> DPC communication, like pushing configs). For the most up to date information on FCM, click here. |
fcm-xmpp.googleapis.com gcm-xmpp.googleapis.com |
TCP/5235,5236 | When using persistent bidirectional XMPP connection to FCM and GCM servers |
pki.google.com clients1.google.com |
TCP/443 | Certificate Revocation list checks for Google-issued certificates |
clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com |
TCP/443 | Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others |
omahaproxy.appspot.com | TCP/443 | Chrome updates |
android.clients.google.com | TCP/443 | Android Device Policy download URL used in NFC provisioning |
connectivitycheck.android.com www.google.com |
TCP/443 | Used by Android OS for connectivity check whenever the device connects to any WiFi / Mobile network. Android connectivity check, starting with N MR1, requires https://www.google.com/generate_204 to be reachable, or for the given Wi-Fi network to point to a reachable PAC file. |
ota.googlezip.net ota-cache1.googlezip.net ota-cache2.googlezip.net |
TCP/443 | Used by Pixel devices for OTA updates |
mtalk.google.com mtalk4.google.com mtalk-staging.google.com mtalk-dev.google.com alt1-mtalk.google.com alt2-mtalk.google.com alt3-mtalk.google.com alt4-mtalk.google.com alt5-mtalk.google.com alt6-mtalk.google.com alt7-mtalk.google.com alt8-mtalk.google.com android.clients.google.com device-provisioning.googleapis.com |
TCP/443,5228–5230 | Allows mobile devices to connect to FCM when an organization firewall is present on the network. (see details here) |
time.google.com | UDP/123 | During provisioning, Android devices require access to an NTP server, which is typically accessed via port UDP/123. This can be changed by an OEM. |
android-safebrowsing.google.com safebrowsing.google.com |
TCP/443 | Safebrowsing endpoints are used for Google Play Protect. |
Consoles
If an EMM console is located on-premise, the destinations below need to be reachable from the network to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.
Destination Host | Ports | Purpose |
---|---|---|
www.googleapis.com androidmanagement.googleapis.com |
TCP/443 |
Play EMM API (if applicable - ask your EMM) Android Management API (if applicable - ask your EMM) |
play.google.com www.google.com |
TCP/443 |
Google Play Store Play Enterprise re-enroll |
fonts.googleapis.com *.gstatic.com |
TCP/443 |
iFrame JS Google fonts User Generated Content (e.g. app icons in the store) |
accounts.youtube.com accounts.google.com accounts.google.com.* |
TCP/443 |
Account Authentication Country-specific account auth domains |
fcm.googleapis.com |
TCP/443,5228-5230 |
Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs) |
crl.pki.goog ocsp.pki.goog |
TCP/443 |
Certificate Validation |
apis.google.com ajax.googleapis.com |
TCP/443 |
GCM, other Google web services, and iFrame JS |
clients1.google.com payments.google.com google.com |
TCP/443 |
App approval |
ogs.google.com |
TCP/443 |
iFrame UI elements |
notifications.google.com |
TCP/443 |
Desktop/Mobile Notifications |
enterprise.google.com/android/* |
TCP/443 |
Zero Touch console |
Static IP
Google does not provide specific IP addresses for its service endpoints. If you need to allow traffic based on IP, you should allow your firewall to accept outgoing connections to all addresses contained in the IP blocks listed in Google's ASN of 15169 listed here.