Android Enterprise Network Requirements

The following article has been designed for IT admins, to help them determine the best way to set up their networks for Android Enterprise devices.

Firewall Rules

Android devices generally do not require inbound ports opened on the network to function correctly. However, there are several outbound connections that IT admins should be aware of when setting up their network environments for Android Enterprise.

The following list is subject to change. It covers known endpoints for current and past versions of enterprise management APIs.

Note: Most of these endpoints are not browsable. Thus, you can safely block port 80 for these URLs since they’re all behind SSL. 

Different apps and services require specific mandatory endpoints. A direct connection is required to reach all the endpoints successfully. If the devices are connected behind a proxy, direct communication is not possible and certain functions will fail.

The rules contained here apply regardless of whether your EMM solution is implemented using the Play EMM API or Android Management API

Traffic to these endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be person-in-the-middle attacks and are blocked.

Note: OEMs often have their own hosts that need to be reached for their devices to function properly. Please contact your device manufacturer for any extra ports that may be required.

Devices

 

Destination Host Ports Purpose

play.google.com

android.com

google-analytics.com

googleusercontent.com

*gstatic.com 

*.gvt1.com

*.ggpht.com

dl.google.com

dl-ssl.google.com

android.clients.google.com

*.gvt2.com

*.gvt3.com

TCP/443

TCP, UDP/5228-5230

Google Play and updates 

 

gstatic.com, googleusercontent.com - contains User-Generated Content (for example,. app icons in the store)

 

*gvt1.com, *.ggpht, dl.google.com, dl-ssl.google.com, android.clients.google.com - Download apps and updates, Play Store APIs

 

gvt2.com and gvt3.com are used for Play connectivity monitoring and diagnostics. 

*.googleapis.com
m.google.com
TCP/443 EMM/Google APIs/PlayStore APIs/Android Management APIs

accounts.google.com

accounts.google.[country]

TCP/443

Authentication

For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

gcm-http.googleapis.com

gcm-xmpp.googleapis.com

android.googleapis.com

TCP/443,5228-5230 Google Cloud Messaging (e.g. EMM Console <-> DPC communication, like pushing configs)

fcm.googleapis.com

fcm-xmpp.googleapis.com

firebaseinstallations.googleapis.com

TCP/443,5228–5230 Firebase Cloud Messaging (for example, . Find My Device, EMM Console <-> DPC communication, like pushing configs). For the most up to date information on FCM, click here.

fcm-xmpp.googleapis.com

gcm-xmpp.googleapis.com

TCP/5235,5236 When using persistent bidirectional XMPP connection to FCM and GCM servers

pki.google.com

clients1.google.com

TCP/443 Certificate Revocation list checks for Google-issued certificates

clients2.google.com

clients3.google.com

clients4.google.com

clients5.google.com

clients6.google.com

TCP/443 Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others 
omahaproxy.appspot.com TCP/443 Chrome updates
android.clients.google.com TCP/443 Android Device Policy download URL used in NFC provisioning

connectivitycheck.android.com
connectivitycheck.gstatic.com

www.google.com

TCP/443 Used by Android OS for connectivity check whenever the device connects to any WiFi / Mobile network.
Android connectivity check, starting with N MR1, requires https://www.google.com/generate_204 to be reachable, or for the given Wi-Fi network to point to a reachable PAC file.

ota.googlezip.net

ota-cache1.googlezip.net

ota-cache2.googlezip.net

TCP/443 Used by Pixel devices for OTA updates

mtalk.google.com

mtalk4.google.com

mtalk-staging.google.com

mtalk-dev.google.com

alt1-mtalk.google.com

alt2-mtalk.google.com

alt3-mtalk.google.com

alt4-mtalk.google.com

alt5-mtalk.google.com

alt6-mtalk.google.com

alt7-mtalk.google.com

alt8-mtalk.google.com

android.clients.google.com

device-provisioning.googleapis.com
 

TCP/443,5228–5230 Allows mobile devices to connect to FCM when an organization firewall is present on the network. (see details here)
time.google.com UDP/123 During provisioning, Android devices require access to an NTP server, which is typically accessed via port UDP/123. This can be changed by an OEM.

android-safebrowsing.google.com

safebrowsing.google.com

TCP/443 Safebrowsing endpoints are used for Google Play Protect.

 

Consoles

 

If an EMM console is located on-premise, the destinations below need to be reachable from the network to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame. Google has made the Managed Play iFrame available to EMM developers to simplify search and approval of apps.

 
Destination Host Ports Purpose

www.googleapis.com

androidmanagement.googleapis.com

TCP/443

Play EMM API (if applicable - ask your EMM)

Android Management API (if applicable - ask your EMM)

play.google.com

www.google.com

TCP/443

Google Play Store

Play Enterprise re-enroll

fonts.googleapis.com

*.gstatic.com

TCP/443

iFrame JS

Google fonts

User Generated Content (e.g. app icons in the store)

accounts.youtube.com

accounts.google.com

accounts.google.com.*

TCP/443

Account Authentication

Country-specific account auth domains

fcm.googleapis.com

TCP/443,5228-5230

Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs)

crl.pki.goog

ocsp.pki.goog

TCP/443

Certificate Validation

apis.google.com

ajax.googleapis.com

TCP/443

GCM, other Google web services, and iFrame JS

clients1.google.com

payments.google.com

google.com

TCP/443

App approval

ogs.google.com

TCP/443

iFrame UI elements

notifications.google.com

TCP/443

Desktop/Mobile Notifications

enterprise.google.com/android/*

TCP/443

Zero Touch console

 

Static IP

Google does not provide specific IP addresses for its service endpoints. If you need to allow traffic based on IP, you should allow your firewall to accept outgoing connections to all addresses contained in the IP blocks listed in Google's ASN of 15169 listed here

Note: The IPs of Google peers and edge nodes are not listed in the AS15169 blocks. See peering.google.com for more information about Google’s Edge Network. 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
5056601768663817637
true
Search Help Center
true
true
true