Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Network Ports Used by Jamf Pro

Network Connections to the Jamf Pro Server

A Jamf Pro server can be hosted on-premise (customer hosted) or hosted on Jamf Cloud. The following connections may be made inbound to the Jamf Pro server:

Port Protocol Description Connections Initiated
8443 or 443 HTTPS Connections to the Jamf Pro web app use HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. Managed computers or mobile devices, administrator workstations, and other services to the Jamf Pro server
80/8080/443 HTTP or HTTPS Some advanced installations may include a load balancer or reverse proxy. In this case, the Jamf Pro server URL’s host name will resolve to the IP address of the proxy. If SSL is terminated at the proxy, traffic is forwarded to the Jamf Pro
server over HTTP (typical ports are 80/8080). Or, traffic may be re-encrypted or passed using HTTPS (often over port 443).
Load balancer or proxy to the Jamf Pro server

Connections from the Jamf Pro Server

The following outbound connections may be initiated by the Jamf Pro server:

Port Protocol Description Connections Initiated
3306 MySQL The Jamf Pro server connects to a MySQL database. Jamf Pro server to MySQL database
2195/2196 HTTPS The Jamf Pro server uses Apple Push Notification service (APNs) to prompt managed devices to check in for mobile device management (MDM). Notifications are sent to Apple on port 2195 and delivery feedback is solicited on port 2196. Jamf Pro server to Apple APNs 17/8 IP range
80 HTTP App Store app information can be retrieved from iTunes. Jamf Pro server to Apple
443 HTTPS The Jamf Pro server can integrate with Apple-hosted services such as the Device Enrollment Program (DEP), Volume Purchase Program (VPP), and Global Service Exchange (GSX). Jamf Pro server to Apple
443 HTTPS The Jamf Pro server can connect to Jamf-hosted utilities and services for communication including:

  • Retrieving information about newly released software and version updates from Jamf's patch reporting database, hosted at https://jamf-patch.jamfcloud.com/
  • Apple Push Notification Certificate Signing Requests
  • Customer Experience Metrics information submitted to Jamf (optional)
  • Jamf Push Proxy communication with Self Service Mobile for iOS and personally owned Android devices

Jamf Pro server to *.jamfcloud.com
80/443 HTTP or HTTPS If you are deploying SCEP certificate configuration profiles with a dynamic challenge, the Jamf Pro server connects to the Certificate Authority (CA) server to obtain an enrollment challenge password to include in the profile. The port used will be the one used by your CA. Jamf Pro server to CA server
389/636 LDAP or LDAPS Directory service integration via LDAP (389) or LDAP over SSL (LDAPS/636) can be used for user authentication, device assignment, and user information and group membership lookups. Note that all Jamf Pro server LDAP connections will originate from the Jamf Pro server. For information about LDAP Proxy connections, see the “Jamf Infrastructure Manager – LDAP Proxy Connections” section in this document. Jamf Pro server to LDAP/Domain controller
25/465/587 SMTP Email integration via an SMTP gateway can be used for administrative notifications, user messaging, and enrollment invitations. The SMTP port depends on the service provider and type of encryption supported. Jamf Pro server to SMTP gateway host
514 Syslog Change Management logs can be written to log files and to a Syslog server. Jamf Pro server to Syslog server
443 HTTPS A cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service) can be used to host your software packages for distribution to managed clients. The Jamf Pro server connects to these services to perform initial configuration, to upload packages added via the Jamf Pro web app or Casper Admin, and as needed to request content access tokens and URL signatures. Jamf Pro server to cloud hosting provider
443 HTTPS Jamf Pro can be configured to send webhook notifications for a variety of events (device enrollment, inventory updates, etc.) to support workflow automation and data integrations. Jamf Pro server to event listener application server
11211 memcached Memcached data access acceleration services can help reduce database load in multi-server Jamf Pro configurations. Jamf Pro servers to Memcached servers

*Ports 443, 2195, 2196, and 5223 must be open outbound to the 17.0.0.0/8 address block in order for computers, iOS mobile devices, and the JSS to communicate with APNs.

Managed Computer and Mobile Device Connections

The following connections may be initiated from managed Mac computer and iOS devices:

Port Protocol Description Connections Initiated
8443/443 HTTPS Mac computers and iOS devices connect to the Jamf Pro server when:

  • Prompted to enroll in mobile device management by Apple’s Device Enrollment Program (DEP)
  • Enrolling via user-initiated enrollment in a web browser
  • Running the jamf agent (Mac computers only)
  • Running Self Service Mobile for iOS
  • Running Casper Focus
  • Responding to an MDM push notification

When the default settings are used, on-premise Jamf Pro servers use port 8443 and the Jamf Cloud managed-hosting option uses port 443.

Managed devices to the Jamf Pro server
5223/443 APNs The Jamf Pro server will send a message to the Apple Push Notification service when it has an MDM profile or command awaiting delivery to an enrolled device. Mac computers and iOS devices maintain a persistent connection to APNs when connected to a network so they will receive new notifications quickly. End user devices connect to APNs using port 5223 by default, but will fail over to port 443 when connecting via Wi-Fi. Managed devices to APNs
443 HTTPS Mac computers can download software packages from a cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service). Managed computers to a cloud distribution point
80/443 HTTP and HTTPS Mac computers can download software packages from an HTTP and HTTPS server such as Apple macOS Server, Apache, and Microsoft IIS. Managed computers to HTTP/HTTPS distribution point
548 AFP Software packages can be downloaded by Mac computers from an Apple File Protocol (AFP) server. Mac computers to AFP servers
445/137–139 SMB Software packages can be distributed to Mac computers using a Windows SMB (CIFS) distribution point. Managed computers to SMB servers
80/443 HTTP and HTTPS The Apple ecosystem relies on many Internet-based systems maintained by Apple and their content distribution network (CDN). Examples include Apple Software Update, the App Store, the Volume Purchase Program (VPP), and the Device Enrollment Program (DEP). Managed devices to Apple/CDN
22 SSH The Casper Remote and Recon applications use the standard SSH port to connect to Mac computers. This port cannot be changed. Administrator workstations to Mac computers
5228–5230 HTTPS Google Cloud Messaging (GCM) is used to send messages to personally owned Android devices managed by Jamf Pro. Android devices to GCM

Administrator Workstation Connections

The following connections may be initiated from administrator workstations:

Port Protocol Description Connections Initiated
8443/443 HTTPS Administrators perform management tasks by logging in to the Jamf Pro server using a web browser and the Jamf Pro apps (Recon, Casper Admin, and Casper Remote). When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. Administrator workstations to the Jamf Pro Server
548/445 AFP/SMB The Casper Admin application can upload new software packages to AFP or SMB distribution points. Casper Admin to distribution points
22 SSH The Casper Remote and Recon applications use the standard SSH port to connect to Mac computers. This port cannot be changed. Administrator workstations to Mac computers

Jamf Infrastructure Manager - LDAP Proxy Connections

The Jamf Infrastructure Manager is a managed environment that runs on your network to host utilities that facilitate integration of the Jamf Pro server with your IT environment. One of these utilities, the LDAP Proxy, may be used to create an extra layer of separation between a Jamf Pro server and an LDAP directory service.

Port Protocol Description Connections Initiated
8443/443 HTTPS Jamf Infrastructure Manager instances connect to the Jamf Pro server when they are enrolled and periodically thereafter to confirm their operating status and retrieve updated settings. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. Jamf Infrastructure Manager host to the Jamf Pro server
8389/8636 LDAP or LDAPS All Jamf Pro LDAP lookups are sent via the Jamf Pro server. Jamf Pro can be configured to send LDAP queries to a Jamf Infrastructure Manager LDAP Proxy instance rather than directly to an LDAP host. The port on which the LDAP Proxy will listen for these incoming requests is configured when enrolling with the Jamf Pro server. On Linux, the port chosen should be at least 1024 because lower-numbered ports are reserved for more privileged services and users. Port 8389 might be chosen if running on LDAP, or port 8636 if running on LDAPS. Jamf Pro server to the Jamf Infrastructure Manager host
389/636 LDAP or LDAPS The LDAP Proxy service will receive lookup requests from the Jamf Pro server and forward them to a directory service. LDAP usually runs on port 389. If you encrypt your LDAP communications (LDAP over SSL/LDAPS), port 636 is commonly used. Your directory services administrator can tell you which of these ports are used in your environment. Jamf Pro server to LDAP server/domain controller

Note: If your Jamf Pro server is hosted on Jamf Cloud, you will need to permit inbound access to the Jamf Infrastructure Manager host from Jamf Cloud. A list of the source IP addresses for these connections is provided in the following Knowledge Base article: Permitting Inbound/Outbound Traffic with Jamf Cloud

Jamf Infrastructure Manager - Healthcare Listener Connections

The Healthcare Listener is a service that receives Admission/Discharge/Transfer (ADT) messages from a healthcare
management system and sends a notification to the Jamf Pro server to trigger a remote command to the iOS device assigned to a patient room.

The Healthcare Listener is hosted by the Jamf Infrastructure Manager.

Port Protocol Description Connections Initiated
2575 HL7 2575 is an assigned port that can be used for HL7 communications, but the Healthcare Listener can be configured to use any preferred port 1024 or greater. HL7 interface to Jamf Infrastructure Manager host
8443/443 HTTPS The Healthcare Listener informs the Jamf Pro Management Server when an action is needed on a device. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. Jamf Infrastructure Manager host to the Jamf Pro server

Jamf Distribution Server Connections

A Jamf Distribution Server (JDS) instance is a distribution point that is managed by the Jamf Pro server. It can be used to host packages, in-house apps, and in-house eBooks.

Port Protocol Description Connections Initiated
8443/443 HTTPS When an administrator uses the Casper Admin application to synchronize packages to a root JDS instance, the file is uploaded to the Jamf Pro server over its HTTPS port. Casper Admin to the Jamf Pro server
8443/443 HTTPS A root JDS instance connects to the Jamf Pro server to download new content. Root JDS server to the Jamf Pro server
8443/443 HTTPS All JDS instances check in periodically with the Jamf Pro server to compare their packages to the master database. When the default settings are used, on-premise Jamf Pro servers use port 8443, and the Jamf Cloud-hosted servers use port 443. JDS servers to the Jamf Pro server
443 HTTPS Managed devices can connect to a JDS instance to download new content and updates. Managed devices to JDS servers
443 HTTPS When a child JDS instance needs to obtain its copy of a new package, it will retrieve it from its parent JDS instance. Child JDS instance to parent JDS instance

SCCM Plug-In Connections

The SCCM Plug-In automatically copies the inventory collected by Jamf Pro to your SCCM server so that you can add data about your Jamf-managed devices to SCCM reports.

Port Protocol Description Connections Initiated
80/443 HTTP/HTTPS The SCCM Proxy Service will transmit updated device inventory information to the Microsoft Configuration Manager API. SCCM Plug-In host to SCCM server
8443/443 HTTPS The SCCM Proxy Service queries the Jamf Pro server via a REST API to obtain information about your managed devices. When the default settings are used, on-premise Jamf Pro servers use port 8443, and the Jamf Cloud-hosted servers use port 443. SCCM Plug-In host to the Jamf Pro server

ServiceNow Integration Connections

The Jamf macOS Integration app connects Jamf Pro and ServiceNow, a cloud application platform. This integration enables users with ServiceNow installed in their environment to integrate with Jamf Pro and automate software management tasks.

Port Protocol Description Connections Initiated
443 HTTPS The Jamf Pro server sends webhook notifications to the ServiceNow API whenever a computer inventory event occurs. The communication can be sent to your ServiceNow Management, Instrumentation, and Discovery (MID) server. Jamf Pro server to MID server
8443/443 HTTPS ServiceNow communicates with the Jamf Pro server to obtain information about your managed computers and to trigger application installations and removals. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. ServiceNow server to the Jamf Pro server

Additional Information

The following references provide detailed information on the network requirements for Apple products:
- TCP and UDP Ports Used by Apple Software Products
- If You‘re Not Getting Apple Push Notifications
- Technical Note TN2265: Troubleshooting Push Notifications
- Direct hosting of SMB over TCP/IP

Like Comment
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 3/19/12 at 6:39 PM by donmontalvo

Can we add a column for ports? We're in the middle of a project and our network team are responding to our "Please open ports..." request with "Do you need TCP, UDP or both?". :)

Thanks,
Don

Like
CCT Badge CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 4/4/12 at 1:24 PM by talkingmoose

To my knowledge these should all be TCP. UDP would be needed for packets that don't require acknowledgements such as broadcast video. I can't think of anything in the JSS that doesn't require acknowledgements.

Like
CCA Badge
SOLVED Posted: 4/4/12 at 1:30 PM by mm2270

So what was added here, 2196? That's the only port I don't recognize from previous versions of this article.

Like
CCA Badge CMA Badge JAMFBadge
SOLVED Posted: 4/4/12 at 1:32 PM by erin.miska

Yes, 2196 is the only new one and is the port used for APNs feedback. For more information see the following KB:

https://jamfnation.jamfsoftware.com/article.html?id=189

Like
CCA Badge CCE Badge CJA Badge CMA Badge Integrator Badge
SOLVED Posted: 4/4/12 at 3:09 PM by martin

Hi Erin, could you please split these ports in categories like client, distribution point, jss, netboot, sus and which direction they are going so we get a better overview?

Thanks!

Like
CCA Badge CCE Badge CMA Badge
SOLVED Posted: 6/28/12 at 8:53 PM by wakco

It is not very clear what is in use specifically by Casper Suite, and what is in use by other services that Casper Suite uses.

For example, while I can see your mention of SMB is related to other services that Casper relies on to be there, but there is no real definition as to which ports are in use by Casper, and which are not.

I need to know which ports can not be in use by another service on the server host. Such as I would like to know if I can install onto a 10.7 Server running Profile Manager (essentially Apples MDM with push notifications) or not.

Like
SOLVED Posted: 11/14/12 at 5:55 PM by peterfisher

You need to include which host is initiating the connection.

Like
SOLVED Posted: 11/14/12 at 5:55 PM by peterfisher

You need to include which host is initiating the connection.

Like
SOLVED Posted: 5/7/13 at 2:21 PM by dhanes

Could you include which host is initiating the connection? As well as directionality?

Like
SOLVED Posted: 8/14/13 at 10:33 AM by rkidder

I'm a network engineer and I've been asked to open the necessary ports for a Casper box that's on my DMZ. I'm going to second the posts by those above. Protocol (TCP, UDP) is just as important as port. And no, UDP is not just for streaming video, SMB will use UDP. Also, where the packet is coming from for each of the holes is another bit of info that's missing. A better way to document this might look like:

From: Management PC / To: Casper Server / Protocol: TCP / Port: 80, 443 / Purpose: Management web GUI
From: Client PC / To: Casper Server / Protocol: TCP / Port 8080 / Purpose: Package download
From: Client PC / To: Casper Server / Protocol: TCP / Port 8443 / Purpose: Client registration
From: Casper Server / To: MySQL Server / Protocol: TCP / Port 3306 / Purpose: MySQL database access
From: Casper Server / To: DNS Server / Protocol: UDP / Port 53 / Purpose: DNS
From: Casper Server / To: DNS Server / Protocol: UDP / Port 123 / Purpose: NTP

That tells me from where, to where, on what port and using what protocol. That's the info I need to open holes in my firewall and ensure they're actually needed. Is that something we can get?

Like
SOLVED Posted: 10/30/13 at 8:26 AM by jelockwood

I totally agree with Roy Kidder the provided information is not specific enough as to direction and what service needs what. It is not only JAMF who at fault here, Apple are equally bad at providing the specifics.

I did find the following webpage which for Apple Profile Manager at least does give the required details. Much of this would be applicable to Casper Suite as well.

See http://2195.co.uk/?p=113

To summarise, could JAMF improve the documentation to list whether a port is needed to a server (or client), what it goes to or from as applicable and which service it applies to. This last point is important because contrary to what JAMF might feel many people chose to run different services on different servers so in my case the MySQL, JSS, and JDS are three different servers.

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 10/30/13 at 8:41 AM by donmontalvo

@rkidder][/url][/url][/url][/url][/url][/url wrote:

I'm a network engineer and I've been asked to open the necessary ports for a Casper box that's on my DMZ. I'm going to second the posts by those above. Protocol (TCP, UDP) is just as important as port. And no, UDP is not just for streaming video, SMB will use UDP. Also, where the packet is coming from for each of the holes is another bit of info that's missing. A better way to document this might look like: From: Management PC / To: Casper Server / Protocol: TCP / Port: 80, 443 / Purpose: Management web GUI From: Client PC / To: Casper Server / Protocol: TCP / Port 8080 / Purpose: Package download From: Client PC / To: Casper Server / Protocol: TCP / Port 8443 / Purpose: Client registration From: Casper Server / To: MySQL Server / Protocol: TCP / Port 3306 / Purpose: MySQL database access From: Casper Server / To: DNS Server / Protocol: UDP / Port 53 / Purpose: DNS From: Casper Server / To: DNS Server / Protocol: UDP / Port 123 / Purpose: NTP That tells me from where, to where, on what port and using what protocol. That's the info I need to open holes in my firewall and ensure they're actually needed. Is that something we can get?

MDM related port/traffic questions are more for Apple than JAMF, but with that said, we got this from a JAMF engineer a while back:

http://donmontalvo.com/jamf/APNs-diagram.pdf

Like
CCA Badge CMA Badge JAMFBadge
SOLVED Posted: 10/30/13 at 11:37 AM by erin.miska

Hey everyone,

We did make what we think are significant improvements to this information in the 9.0 admin guide, but I apparently forgot to apply those improvements to this KB. (We typically avoid documenting things in multiple places for this reason, but this KB has so many hits that we are hesitant to remove it.) Anyway, I’ve updated the KB to match the admin guide. I realize this doesn’t address all of your suggestions, but I think it’s a step in the right direction. We will look into implementing the rest of your suggestions as time allows.

Thanks!
Erin

Like
SOLVED Posted: 10/30/13 at 12:32 PM by jelockwood

Thanks for the changes Erin looks a big improvement. Could you add entries for JDS servers as well?

Like
CCA Badge CMA Badge
SOLVED Posted: 1/15/14 at 10:58 AM by tjwolfui

Erin,

Can you verify the port 5223 information for direction? The direction information on this page conflicts with the Casper Admin 9.2 guide. In the Casper Admin Guide it states the direction is from the devices and not the JSS.

Port: 5223
Description: The port used to send messages from APNs to the mobile devices and computers in your network.
Direction: Outbound from computers and mobile devices, and inbound to the APNs server.

Thanks,
Tim

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 1/15/14 at 11:36 AM by mostlikelee

@tjwolfui port 5223 is outbound from the end user devices to apple. We have the outbound firewall open from our LAN to 17.0.0.0/8

Like
CMA Badge JAMFBadge
SOLVED Posted: 1/16/14 at 9:32 AM by Natalie.Pannemann

Hey @tjwolfui,

That was indeed a typo. Port 5223 has been fixed to say "Outbound from computers and mobile devices, and inbound to the APNs server".

Thanks for pointing it out!
Natalie

Like
CCA Badge CCE Badge CJA Badge CSE Badge
SOLVED Posted: 3/4/14 at 8:19 AM by charliwest

Another bump to get the JDS parts added to this please

Like
CCA Badge CCE Badge CJA Badge CMA Badge Integrator Badge
SOLVED Posted: 3/14/14 at 5:50 PM by iordonez

Any reason 1640 isn't on this list as well? Apple uses this for APNs.

http://support.apple.com/kb/ts1629

640 TCP Certificate Enrollment Server \- cert-responder Profile Manager, SCEP

Like
CCA Badge
SOLVED Posted: 4/11/14 at 4:56 AM by Bendelaat

can anybody tell me how JDS Master replicates to a child? do they use port 443 or something else?

Like
CCA Badge CJA Badge CMA Badge
SOLVED Posted: 5/16/14 at 11:56 AM by Grant.Klingbeil

@Bendelaat, you are correct. JDS replication does use port 443.

Like
CCA Badge CCE Badge
SOLVED Posted: 6/4/14 at 3:30 PM by amontgomery

From Master to Child, who initiates the connection? In other words, can a child sit behind NAT (without port forwarding, opening incoming ports, etc.) and replicate from a master (as long as the master is reachable on port 443)?

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 8/4/14 at 10:51 AM by donmontalvo

Wait, the list shows JSS now requires inbound traffic over 5223?!

Is this a typo? I see the article was updated a few days ago.

Thanks,
Don

Like
CCA Badge CCE Badge CJA Badge CSE Badge CMA Badge
SOLVED Posted: 8/4/14 at 12:59 PM by Josh.Smith
Port: 5223 Description: The port used to send messages from APNs to the mobile devices and computers in your network. Direction: Outbound from computers and mobile devices, and inbound to the APNs server

The Port 5223 line says that APNS requires inbound traffic allowed over 5223, not the JSS. Is that the section you are looking at Don?

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 8/4/14 at 2:38 PM by donmontalvo

@Josh.Smith][/url I thought 5223 was used by OSX/iOS clients to establish stageful connection with APNs server, if so that would mean 5223 needs to be open and allow inbound (from APNs) and outbound (to APNs) traffic?

Like
CCA Badge CCE Badge CJA Badge CSE Badge CMA Badge
SOLVED Posted: 8/4/14 at 3:51 PM by Josh.Smith

Hi @donmontalvo,

My understanding is that the OS X/iOS client always initiates the TCP connection, so there is no one port on which APNS responds to the clients. Essentially there are no static external ports open on your side for APNS, only those established dynamically through TCP connections.

The client starts the connection using destination port 5223 and a random/ephemeral source port (http://en.wikipedia.org/wiki/Ephemeral_port). It doesn't matter so much which random port number is used by the client, only that the same random port number is used when the server responds. When APNS responds to the packet, it comes in to your network on that random port number.

Example:

Client wants to check in with APNS
Source IP: 10.10.10.10 (client)
Source Port: 50999 (randomly generated by OS, basically could be anything over 1024, see wiki link above for details)
Destination address: 17.x.x.x (APNS server)
Destination Port: 5223

APNS responds to client:
Source IP: 17.x.x.x
Source Port: 5223
Destination address: 10.10.10.10 (what your firewall/proxy sees)
Destination Port: 50999 (what your firewall/proxy sees)

Firewalls/routers have the ability to recognize that the returning packet from APNS is a response to the TCP session initiated by your client, based on the destination IP/Port combination (in this example 10.10.10.10/50999). The firewall may or may not be configured to allow this return traffic.

I believe what your firewall guys would need to know is that they need to allow outbound TCP traffic on port 5223 from <your internal client IP address range> to 17.0.0.0 /8 and allow return traffic on those TCP connections.

Like
CMA Badge
SOLVED Posted: 9/24/14 at 1:41 PM by DLarson

I was having trouble with this, had my firewall and webfilter temporarily changed to monitor mode so they were not filtering anything and it started working. They then checked logs and did some packet captures and found traffic to vpp.itunes.apple.com.akadns.net was being blocked. We whitelisted that URL, turned the firewall and webfilter services back to active and everything still works.

Like
SOLVED Posted: 9/24/14 at 1:58 PM by jelockwood

@DLarson

Apple have the entire 17.0.0.0 address block allocated to them. If you do a lookup you will see that vpp.itunes.apple.com.akadns.net is pointing to an IP address in Apple's 17.x.x.x block.

Therefore for a firewall you should enable access to the entire 17.x.x.x address range i.e. 17.0.0.0/8 or 17.0.0.0/255.0.0.0

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 9/24/14 at 3:29 PM by donmontalvo

@Josh.Smith Just noticed your response, thanks, very helpful!

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 9/25/14 at 1:42 PM by RobertHammen

Man, if the JAMF documentation team could just listen to the conference call that I was just on, they would realize that this document needs more revisions/clarification. Perhaps even a schematic. I realize every environment is different, however something more detailed would be beneficial. Client's network team had this document, and I still had to explain everything (and I'm not even sure I have the JDS stuff right).

--Robert

Like
CCA Badge CMA Badge
SOLVED Posted: 10/3/14 at 4:22 PM by hzimmerman

Robert,

I agree. When I was doing JumpStarts, one of the first things I would do is grab a whiteboard and diagram the ports with a networking engineer (and/or security engineer, depending on the client). Frequently I would leave it up for the duration of the JumpStart because it was handy to refer to when talking about anything APN related, for example.

When I start drawing it, I preface it with "This is the diagram I wish Jamf would include with the JumpStart documentation..."

When you start talking about clustering and DMZs it gets even more complex.

Like
CCA Badge CCE Badge CJA Badge CMA Badge Integrator Badge
SOLVED Posted: 11/28/14 at 7:04 AM by martin

If you make use of the JAMF Push Proxy make sure your firewall is able to connect to jpp.jamfcloud.com (IP 54.236.79.46 port 443).

Like
CCA Badge CCE Badge CJA Badge CMA Badge Integrator Badge
SOLVED Posted: 8/10/15 at 9:51 AM by martin

@erin.miska, @jacob.bernardy please add JAMF Nation (port 443, dest 52.1.225.145 and 54.84.234.100) to this article. It's required to download signed CSR from JAMF Nation.

Like
CCT Badge CCA Badge CCE Badge CJA Badge
SOLVED Posted: 11/6/15 at 10:06 AM by Key1

Anyone know what the destination ip and port for submitting Jamf summary is please?

Like
CCT Badge CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 11/6/15 at 11:23 AM by talkingmoose

I don't know 100%, but I would guess it's 443 since you're submitting it through the JAMF Nation site.

Like
CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 12/9/15 at 7:31 AM by seanhansell

Can we please add GSX API access to the row for port 443?

Like
SOLVED Posted: 2/17/16 at 4:19 AM by bollman

Worth noting: ICMP Ping needs to be accessible to JDS servers, or else, Casper Admin states that the JDS is unavailable.
This might not be the best way to test if the server is available ;)

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 3/10/16 at 11:17 AM by ryanstayloradobe

It's been a while since I've seen this article. What was modified? Can there be a change log at the end of the article stating what was modified?

Like
CCT Badge
SOLVED Posted: 3/10/16 at 11:38 AM by cdenesha

I agree. It would save time going to the Wayback Machine to learn that the Additional Information now has descriptions of the links.

Like
SOLVED Posted: 4/15/16 at 4:50 PM by UbiquitousChris

Just a quick note to pass along to anyone who may be having trouble: In order for VPP and App Store searches to work correctly, you need to have port 80 opened outbound to Apple's servers as well. I worked for hours on this with JAMF and requested they update their documentation.

Like
CCT Badge CCA Badge CCE Badge
SOLVED Posted: 10/18/16 at 1:38 PM by jnice22

Serious update for the port list would save a lot of time. Details from "this device" to "this device" or range. Which system initiates the request and traffic flow. I had to open additional ports for VPP from our jss. The details for 443 above is murky at best. We don't just open ports willy nilly around here.

Like
CCA Badge
SOLVED Posted: 1/3/17 at 9:45 AM by hunter990

I almost wonder if it would be easier to break the tables up by JSS and Clients. Then by inbound and outbound. That way you can instantly look and see what is needed. I also concur with what other have said that it need to show where those ports are going or coming from.

Like
CCT Badge
SOLVED Posted: 2/6/17 at 3:52 PM by lubkens05

+1 for more specifics. I am wondering what ports are necessary to be forwarded to JSS and/or JDS for external distribution of packages.

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 2/13/17 at 7:56 PM by donmontalvo

@lubkens05 yea, this can get confusing if you're enrolling computers in the DMZ, and the enrollment QuickAdd.pkg is coming from the Tomcat server and not a distribution point. :)

Like
CCT Badge
SOLVED Posted: 2/14/17 at 9:11 AM by scottb

Another vote for JDS documentation. It's incredibly sparse, and I hate opening up cases for things that probably could be covered to some extent in these docs.

Like
SOLVED Posted: 3/13/17 at 8:11 AM by andrewadkins

bump

Like
CCT Badge CCA Badge
SOLVED Posted: 3/14/17 at 10:58 AM by swhps

+1 for update

Like
CCT Badge CCA Badge CCE Badge CJA Badge
SOLVED Posted: 3/16/17 at 11:53 AM by Javy

What port is used for downloading new Patch Reporting definitions?

Like
CCT Badge CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 3/18/17 at 1:26 PM by talkingmoose

@Javy, have a looksee in the table at the top. It's 443 to connect to the patch server.

Like
CCA Badge
SOLVED Posted: 6/13/17 at 11:05 AM by hunter990

I agree as well and the URL's for both patch reporting and for signing a cert with jamf nation from the push cert settings. Also, isn't port 5900 still used for screen sharing? I don't see that on the list.

Like
SOLVED Posted: 6/26/17 at 2:53 PM by rogerahlers

We had an issue today where our content filter's proxy was blocking port 50402. This was preventing Casper from deploying apps to iPads running iOS version 10.3.2. Since I didn't see this port on the list, I thought I'd add it here in case others had the same problem. After adding an exception for 50402 in our content filter, everything started working again.

Like
SOLVED Posted: 6/28/17 at 2:10 PM by andrewh

What is the message broker (port 61617)? I've never seen or heard of this before until I referenced this KB article at a client site today. I don't see any mention of the message broker in any JAMF Nation posts.

This KB really needs updates to be more specific as echoed by many others before me.

Like
CCT Badge CCA Badge
SOLVED Posted: 6/30/17 at 3:17 PM by bradtchapman

@cj.krueger : can you post a quick summary of the changes to this document OTHER than the title and new URL? Thanks.

Like
CCT Badge CCA Badge CJA Badge JAMFBadge
SOLVED Posted: 6/30/17 at 3:29 PM by cj.krueger

@bradtchapman Sure thing! This update represents a complete revision of our ports document, including details on 40 unique connections and the breaking-out of inbound and outbound Jamf Pro connections. We've also added sections detailing Managed Computer & Mobile Device connections, Administrator Workstation connections, both LDAP Proxy & Healthcare Listener connections for the Jamf Infrastructure Manager, and Jamf Distribution server, SCCM Plugin and ServiceNow integration connection information. We hope this provides a more complete understanding of Jamf Pro's commonly-used network connections than our previous documentation. Be sure to let us know if we're missing anything, or if you'd like to know more!

Like
CCA Badge CCE Badge CMA Badge CUG Badge
SOLVED Posted: 9/6/17 at 3:41 PM by donmontalvo

@hunter990 5900 would only be needed if you are VNC'ing directly to the box (Screen Sharing, or Connect To Server...).

Casper Remote initiates an SSH tunnel to the workstation using the Management Account, then screen sharing goes through the tunnel.

Would still open up 5900 if you want techs to use Screen Sharing without needing to use Casper Remote.

Like
SOLVED Posted: 9/19/17 at 4:32 PM by bschowe

Is there something specific for iPad inventory updates? Everything else seems to be working but, the iPads won't update inventory.

Like