Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Permitting Inbound/Outbound Traffic with Jamf Cloud

Overview

This article outlines what needs to be added to the whitelist or firewall to allow inbound and outbound communication between your organization’s internal network or services, such as LDAP, and Jamf Cloud.

Note: IP addresses resolved from a simple nslookup query will not work, as these addresses can change at any time.

Inbound Traffic to Jamf Cloud

To connect from your internal network to Jamf Cloud, add the Jamf Cloud DNS name to your whitelist, for instance: https://example.jamfcloud.com.

Outbound Traffic from Jamf Cloud

To connect from Jamf Cloud to your internal service, add the following IP addresses to your firewall rules:

For the U.S. region:

  • 54.208.14.206
  • 54.208.84.215
  • 52.1.62.94
  • 52.1.215.211
  • 52.203.216.218
  • 34.233.253.88
  • 34.234.26.211
  • 52.72.152.43

For the EU Frankfurt region:

  • 52.28.158.135
  • 52.29.12.146
  • 52.58.24.59
  • 52.58.36.131
  • 35.158.192.156
  • 35.158.251.254

For the APAC Sydney region:

  • 13.55.52.63
  • 13.210.90.105

For the APAC Tokyo region:

  • 52.192.208.126
  • 52.68.207.143

These IP addresses are required when configuring LDAP, SMTP, Rsyslog, SCCM, and other services.

In the event that the above IP addresses are changed, Jamf Cloud customers will be notified.

Outbound Traffic from the Jamf Cloud Distribution Point

For the U.S. region:

  • use1-jcdsdownloads.services.jamfcloud.com
  • use1-jcds.services.jamfcloud.com

For the EU Frankfurt region:

  • euc1-jcdsdownloads.services.jamfcloud.com
  • euc1-jcds.services.jamfcloud.com

For the APAC Sydney region:

  • apse2-jcdsdownloads.services.jamfcloud.com
  • apse2-jcds.services.jamfcloud.com

For the APAC Tokyo region:

  • apne1-jcdsdownloads.services.jamfcloud.com
  • apne1-jcds.services.jamfcloud.com

Additional Information

For service port information, see the following Knowledge Base article:
Network Ports Used by Jamf Pro

Like Comment
Order by:
SOLVED Posted: by kkarballof

Hi Debbie.

Can you please check to verify that the below IPs are current ones:

54.208.14.206 54.208.84.215 52.1.62.94 52.1.215.211

This is what I am getting when running nslookup :
DT4892:graphite ccarballo$ nslookup w2ogroup.jamfcloud.com
Server: 10.1.10.223
Address: 10.1.10.223#53

Non-authoritative answer:
w2ogroup.jamfcloud.com canonical name = jamfcloud-998593290.us-east-1.elb.amazonaws.com.
Name: jamfcloud-998593290.us-east-1.elb.amazonaws.com
Address: 52.21.57.200
Name: jamfcloud-998593290.us-east-1.elb.amazonaws.com
Address: 52.87.122.98

Like
SOLVED Posted: by lahwal

The sold-to-Account entered is invalid.

Like
SOLVED Posted: by ftiff-amaris

Interesting, I have:
euc1-std-elb-1-1410441343.eu-central-1.elb.amazonaws.com has address 52.58.219.182
euc1-std-elb-1-1410441343.eu-central-1.elb.amazonaws.com has address 35.157.47.119

Seems it's not up to date... sent ticket to support

Like
SOLVED Posted: by robo

@kkarballof - There is no relation between the IPs returned from a lookup of the domain name of a JamfCloud instance, and the IPs used for outgoing communication from JamfCloud. The IPs posted in the article are correct.

@ftiff-amaris - Same thing as above: Incoming and outgoing traffic go via different routes.

Like
SOLVED Posted: by ftiff

Hi @robo

You're right!

I got the answer from Jamf support:
- JSS to JIM uses the IPs above
- JIM to JSS goes through a load balancer. Its IPs are not permanent. Only possibility is to whitelist *.jamfcloud.com

Next question is: is there a need for traffic from JIM to JSS besides initial enrollment?

As JIM is in the DMZ I don't want to open outgoing traffic to all internet.

Like
SOLVED Posted: by franton

Doing things by DNS host name is always preferable because the IP addresses can change without warning. This is also true of Apple's services between 17/8 and whatever Akamai is using that day. However Amazon does publish a handy table of which IP ranges it uses in JSON format.

However for those using the EU jamf cloud, here's Amazon's current IP ranges for "eu-central-1". (Current as of 31st July 2017)

18.194.0.0/15
18.196.0.0/15
35.156.0.0/14
35.158.136.0/24
52.119.188.0/22
52.219.44.0/22
52.219.72.0/22
52.28.0.0/16
52.29.0.0/16
52.57.0.0/16
52.57.254.0/24
52.58.0.0/15
52.92.68.0/22
52.94.17.0/24
52.94.198.48/28
52.94.204.0/23
52.94.248.112/28
52.95.248.0/24
52.95.255.128/28
54.231.192.0/20
54.239.0.160/28
54.239.4.0/22
54.239.54.0/23
54.239.56.0/21
54.93.0.0/16

Like
SOLVED Posted: by timlarsen

Hi. New to being on jamf cloud, long-time on-prem user. Has anyone had difficulty connecting to jamfcloud (clients and in-browser) in Greater China? Because we use "next gen" Palo Alto firewall technology, our network team is not keen on having a giant list of individual IP's and as such, will only agree to the 8 required under the "US" list. I'm not sure if I need the EU/Frankfurt IP's added to the rule to connect in the APAC region or not...

Thanks!
Tim

Like
SOLVED Posted: by gachowski

We don't have any issues, and web access was one of the things I tested from China before we fully committed to hosted environment.

C

Like
SOLVED Posted: by conitsupport

Are you all using JIM in a DMZ setup? at present we have onsite JAMF and a DMZ setup for offsite enrollments, works well, but we cant get the cloud version to link to our AD successfully.

Like
SOLVED Posted: by bartlomiej.sojka

@conitsupport Is telnet over 443 from your JIM host to cloud successful? Is traffic from all IPs in this article allowed to reach your JIM host over port of your choice (above 1024, e.g. 8389 or 8636)? Does your JIM host have an FQDN or at least an external IP directly on one of its eth? Can JIM host resolve its hostname to itself?

Like
SOLVED Posted: by Micah.Smith

@conitsupport Did you ever get your JIM/DMZ situation resolved? Sounds like I'm facing the same issue you were.

Like
SOLVED Posted: by MacSysAdmin

On initial communication from your JIM server to Jamf Cloud you will need port 443 open outbound on your firewall to whatever IP a lookup of your Jamfcloud host resolves to and not the IP's listed above to get enrollment started.

Like
SOLVED Posted: by andymallins

Can anyone confirm what region *.services.jamfcloud.com will reside in as per the TLS 1.0 disablement with 10.7 release....

Like