Jamf Nation Community

k3vmo · ‎10-01-2018

I'm building my first infrastructure. Healthcare company. Everything goes through a proxy. I've seen the apple support articles that if you aren't getting Apple Push notifications - it has to have a connection [out] to Apple without a proxy and receive a notification back from Apple's IP space on a specific port?

Am I wrong?

I have so many security folk reading bits & pieces of articles showing a Jamf setup only uses outbound connections.

In every other instance, I've seen - admins open Apple's class A on the required ports to accept incoming connections to the Mac knows "hey - you have an MDM on site! Go here:"

Please let me know if I'm right or wrong

Asnyder · ‎10-01-2018

I have 17.0.0.0/8 open and it works fine. Here is Apple's documentation. https://support.apple.com/en-us/HT201999

Jamf also has posted in an article what it requires. https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro

I'm using a FortiGate 501E in proxy-based NAT mode.

sdagley · ‎10-01-2018

@k3vmo You do not need to allow incoming connections from Apple's 17/8 block, just outgoing ones. Your problem may be that APNS traffic isn't officially proxyable. Another issue is that with certificate pinning you can't decrypt SSL traffic for inspection, and if you are doing that on your network traffic you'll have to work with your network team on whitelisting what's needed. Unfortunately Apple does not currently provide anything more specific than don't filter anything from 17/8, and your network security team will probably not agree to that, so have fun.

chris_miller · ‎10-01-2018

The only other issue I've seen is that Apple will load balance to Akamai servers intermittently. It's up to you if you want to open that range or not. I could see the security folks wanting input on that decision.

Jamf Nation Community

Apple IP space needed