We just recently set up an externally facing JSS. We have been trying to send out remote lock and remote wipe commands to Macs outside of our network but they keep failing. These are the ports we opened up on our firewall: 443, 548, 2195, 2196, and 5223.
Are we missing something?
Question
Remote Lock and Remote Wipe
+2
+18Does it work if the device is inside the network? If not, it could be something cert related.
The server needs to reach "Apple" (17.0.0.0/8) on 2195 & 2196
The clients need to be able to reach Apple on 5223.
Thats all we open externally on the firewall normally.
Oh, and the HTTPS port inbound to your JSS if you want the devices to be able to check-in.
+2Yes it works fine with devices that our connected to our wifi. Devices outside our network can connect to self service and see the apps we have inside of it but can't download those apps of receive the remote lock commands.
+18Thats positive. At least its not an APNS / cert issue.
For the policies in self service, if the user is outside the network, you will need to allow an inbound connection to your JSS (it sounds like its already open), and to your distribution point. I noticed you listed 548 up there, thats more suited to LAN based deployments. I would use HTTPS and webdav if you can.
The remote lock commands just need the ports I listed above.
In case it helps, this is what I normally email to the people managing the firewall:
- TCP port 5223 outbound from the client devices to Apple’s 17.0.0.0/8 range to allow the client devices to receive Push notifications
- TCP ports 2195 and 2196 outbound from the JSS to Apple’s 17.0.0.0/8 range to allow the client devices to receive Push notifications
- TCP ports 1640, 443 and 8443 outbound from the client devices to the JSS for SCEP and management.
Would be worth testing from a client with https://itunes.apple.com/gb/app/push-diagnostics/id689859502?mt=12
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.