Jamf Nation Community

It seems like this topic has been beaten over the head here on JAMFNation and I should be "getting it" but perhaps I'm not so I'll post for specifics.

Currently our JSS is behind a firewall and I've been told to assume that outgoing ports are open and incoming ones are blocked. I never assume anything and always wish to verify.

I have taken the port list published here: https://jamfnation.jamfsoftware.com/article.html?id=34

My ultimate goal from this information is to make it so mobile devices can check in, receive remote commands and enroll with our Casper Server (if need be) both on and off campus.

I do know that to allow for this that we will need our DNS off campus to map to a publicly routable server and internally our DNS will route to the internal JSS. We will likely use NAT to get traffic on specific ports into our internal JSS.

Given my current understanding and what I hope to learn from the community, I'll drill down port by port to relevant Casper/iOS side-related ones. I have one over-arching question on each of these ports. Could someone clarify TCP or UDP specifics if possible???

Port 8443 (I understand this one will be needed inbound to the JSS only with traffic coming from anywhere. It will also needed outbound from all of our internal devices...this is the Tomcat port and devices anywhere may need to communicate with the JSS on this port.)

Port 5223 (needed inbound to allow messages from APNs to reach internal mobile devices. Is it possible on firewalls to allow inbound traffic from the 17.0.0.0/8 subnet only??? Right now, our internal iOS devices already successfully receive push notifications and the server is working internally if this helps. Maybe I won't need this one inbound???)

Port 2195 (needed outbound only…machines internally and externally use this port to communicate with APNs. I'm guessing this is one way traffic and only outbound??)

Port 3306 (I am unsure where this port factors in...it is the MySQL port published in the article. Do I need to open this port up for devices off campus? It is currently open outbound.)

Port 2196 (likely needed inbound for feedback communication from APNs...I am unsure totally about this one...is this port needed inbound for all devices or just for the JSS or is it needed at all?? Right now with the JSS working well internally, I haven't had a problem with push notifications reaching internal devices if that helps.)

Port 1640 (This one isn't on JAMF's article, but is on Apple's for over-the-air enrollment. I would like to extend this ability to our users both on and off the internal network. Will this port be needed either outbound or inbound for this??)

Sorry for the long post and I do sincerely thank everyone in this community for help. As a newbie, right now most of my posts are questions, but I do hope to share some answers where I can.

Brian Martin
Lafayette School Corporation