Android Enterprise Network Requirements

The following article has been designed for IT admins, to help them determine the best way to set up their networks for Android Enterprise devices.

Firewall Rules

Android devices generally do not require inbound ports opened on the network to function correctly. However, there are several outbound connections that IT admins should be aware of when setting up their network environments for Android Enterprise.

The following list is subject to change. It covers known endpoints for current and past versions of enterprise management APIs.

Note: Most of these endpoints are not browsable. Thus, you can safely block port 80 for these URLs since they’re all behind SSL. 

Different apps and services require specific mandatory endpoints. A direct connection is required to reach all the endpoints successfully. If the devices are connected behind a proxy, direct communication is not possible and certain functions will fail.

The rules contained here apply regardless of whether your EMM solution is implemented using the Play EMM API or Android Management API

Traffic to these endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be person-in-the-middle attacks and are blocked.

Note: OEMs often have their own hosts that need to be reached for their devices to function properly. Please contact your device manufacturer for any extra ports that may be required.



Destination Host Ports Purpose







TCP, UDP/5228-5230

Google Play and updates, - contains User-Generated Content (for example,. app icons in the store)


*, *.ggpht,,, - Download apps and updates, Play Store APIs and are used for Play connectivity monitoring and diagnostics. 

TCP/443 EMM/Google APIs/PlayStore APIs/Android Management APIs[country]



For[country], use your local top-level domain for [country]. For example, for Australia use, and for United Kingdom use

TCP/443,5228-5230 Google Cloud Messaging (e.g. EMM Console <-> DPC communication, like pushing configs)

TCP/443,5228–5230 Firebase Cloud Messaging (for example, . Find My Device, EMM Console <-> DPC communication, like pushing configs). For the most up to date information on FCM, click here.

TCP/5235,5236 When using persistent bidirectional XMPP connection to FCM and GCM servers

TCP/443 Certificate Revocation list checks for Google-issued certificates

TCP/443 Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others TCP/443 Chrome updates TCP/443 Android Device Policy download URL used in NFC provisioning

TCP/443 Used by Android OS for connectivity check whenever the device connects to any WiFi / Mobile network.
Android connectivity check, starting with N MR1, requires to be reachable, or for the given Wi-Fi network to point to a reachable PAC file.

TCP/443 Used by Pixel devices for OTA updates

TCP/443,5228–5230 Allows mobile devices to connect to FCM when an organization firewall is present on the network. (see details here) UDP/123 During provisioning, Android devices require access to an NTP server, which is typically accessed via port UDP/123. This can be changed by an OEM.

TCP/443 Safebrowsing endpoints are used for Google Play Protect.




If an EMM console is located on-premise, the destinations below need to be reachable from the network to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.

Destination Host Ports Purpose


Play EMM API (if applicable - ask your EMM)

Android Management API (if applicable - ask your EMM)


Google Play Store

Play Enterprise re-enroll



iFrame JS

Google fonts

User Generated Content (e.g. app icons in the store)*


Account Authentication

Country-specific account auth domains


Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs)


Certificate Validation


GCM, other Google web services, and iFrame JS


App approval


iFrame UI elements


Desktop/Mobile Notifications*


Zero Touch console


Static IP

Google does not provide specific IP addresses for its service endpoints. If you need to allow traffic based on IP, you should allow your firewall to accept outgoing connections to all addresses contained in the IP blocks listed in Google's ASN of 15169 listed here

Note: The IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See for more information about Google’s Edge Network. 

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu