SOTI Pulse Logo

What URL's would need to be whistlisted so we can restrict internet access on devices for security purposes?

SO
Shane O Donovan

Our system is currently on-premise.
We want to restrict internet access to our fleet of Zebra devices, however we use the following functions:
Enrollment of devices to SOTI.
Utilisation of the managed play store to deploy managed apps from SOTI.
Deployment of Zebra Patches through OTA.
We would like to understand what URLs we need to use for the above functionality so that we can whitelist these on our firewall.

3 years ago
SOTI MobiControl
ANSWERS
MB
Marcus Breitenthaler
3 years ago

Hey Shane,

depends on what application you like to Restrict.

Example for Chrome you can add in a Profile with a "fake" Proxy entry that chrome can´t be used.

Or you use Soti Surf on the Android Devices.

SO
Shane O Donovan
3 years ago

Hi Marcus, 

Thanks for coming back to me. I appreciate it a lot.

Is it possible to totally block the devices from accessing the internet? We understand there are some URL's that will need to be whitelisted (Enrolment URL for example when first enrolling the device and grabbing the SOTI agent) in order to do so and are trying to put together a definitive list that we can give to our networking team before they restrict the devices from accessing the net. 

I
ICMOD@SOTI
3 years ago

Hello Shane,

Thanks for your post!

Here are the ports and IP addresses that would need to be whitelisted if you would like to keep communication to with SOTI MobiControl on your restricted network:

https://www.soti.net/mc/help/v14.0/en/setup/installing/network_ports.html

https://www.soti.net/mc/help/v14.0/en/setup/installing/soti_services.html

Also if you are enrolling a device using Android Enterprise and would like to use the google play store you would need to enable several outbound connections: https://support.google.com/work/android/answer/10513641?hl=en

Destination Host 

Ports 

Purpose 

play.google.com 

android.com 

android.clients.google.com 

TCP/443 

TCP,UDP/5228-5230 

These endpoints are used to handle APKs in the Managed Play Store, and as such access to them should not be blocked as the Play Store would not work appropriately. ? 

google-analytics.com 

TCP/443 

TCP,UDP/5228-5230 

This endpoint is used to collect / display analytics information about the applications on the Managed Play Store. Blocking this endpoint will result in a degraded experience when using the Managed Play Store.  

googleusercontent.com 

gstatic.com  

TCP/443 

TCP,UDP/5228-5230 

These endpoints are required to handle images on the Managed Play Store. Blocking them will result in a degraded experience when using the Play Store, including some services not working correctly. 

*.gvt1.com 

*.ggpht.com 

dl.google.com 

TCP/443 

TCP,UDP/5228-5230 

These endpoints are required so that applications can be downloaded and updates appropriately from the Play Store / Managed Play Store. We heavily discourage blocking updates by blocking these endpoints (e.g. if a vulnerability were to be discovered on an app, we would immediately patch and deliver the update through these endpoints). 

*.googleapis.com 

TCP/443 

These endpoints are required for EMM APIs, Google APIs and Play Store APIs to function correctly. 

accounts.google.com 

TCP/443 

These endpoints are used to handle Authentication requests, and generally any Identity related request. 

gcm-http.googleapis.com 

gcm-xmpp.googleapis.com 

android.googleapis.com 

TCP/443,5228-5230,5235,5236 

Google Cloud Messaging. These endpoints are used to push app configurations.  

fcm.googleapis.com 

fcm-xmpp.googleapis.com 

TCP/443,5228-5230 

Firebase Cloud Messaging (e.g. Find My Device). These endpoints are used to push app configurations, and to use services such as “Find my device”). 

pki.google.com 

clients1.google.com 

TCP/443 

These endpoints are primarily used for certificate handling / revocation. 

clients[2…6].google.com 

TCP/443 

These endpoints are used by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others.  

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

Similar Discussions