Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Mango Buzz
Mango Buzz Author
User level: Level 1
10 points

Profile manager need port 443/80 to distribute updates

I'm trying to setup profile manager to be able to send updates to iOS and Mac users off our local network without opening access to server webpages. I have ports opened and forwarding through our firewall: 2195,2196,5223, and 1640. However, clients can not receive updates unless port 443 or 80 is also opened and forwarded. This would be fine, however I don't want the whole world to be able to access or hack my internal webpages or potentially hack into the Profile Manager web interface remotely. If I restrict web server access to only private networks I loose the ability to push out configuration updates or remote locks or wipes of iOS devices. Is there a way to allow configuration updates and commands to be pushed without opening up the web interface or other websites located on the server?


Thanks


PortTCP/UDPDescription
2195, 2196TCPUsed by Profile Manager to send push notifications
5223TCPUsed to maintain a persistent connection to APNs and receive push notifications
80/443TCPProvides access to the web interface for Profile Manager admin
1640TCPEnrollment access to the Certificate Authority

Posted on Apr 16, 2015 10:49 PM

Reply
Question marked as Best reply
User profile for user: Trinq
Trinq
User level: Level 1
20 points

Posted on Apr 24, 2015 7:40 AM

I'm having the same problem. The best I've come up with is modifying the apache configuration so that only the necessary pages are available. I don't think it will work without this minimum access to 443.


Here's how I've locked it down:


1. Create a file in /Library/Server/Web/Config/apache2/other/ that ends with .conf. I named mine localsecurity.conf


2. Populate the file with the following info:


#sets security on the document root. it works on both 80 and 443.

<Directory />

Order deny,allow

Deny from all

Allow from 10.10.10 #change this to match your LAN

</Directory>


#opens up the management api for profile manager to interact with devices

<Location /devicemanagement>

Order deny,allow

Allow from all

</Location>

3. Restart Websites in the server app.

View in context
2 replies
Question marked as Best reply
User profile for user: Trinq
Trinq
User level: Level 1
20 points

Apr 24, 2015 7:40 AM in response to Mango Buzz

I'm having the same problem. The best I've come up with is modifying the apache configuration so that only the necessary pages are available. I don't think it will work without this minimum access to 443.


Here's how I've locked it down:


1. Create a file in /Library/Server/Web/Config/apache2/other/ that ends with .conf. I named mine localsecurity.conf


2. Populate the file with the following info:


#sets security on the document root. it works on both 80 and 443.

<Directory />

Order deny,allow

Deny from all

Allow from 10.10.10 #change this to match your LAN

</Directory>


#opens up the management api for profile manager to interact with devices

<Location /devicemanagement>

Order deny,allow

Allow from all

</Location>

3. Restart Websites in the server app.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Apr 24, 2015 7:40 AM in response to Mango Buzz

Other than Trinq's solution - which is what I believe most people concerned about this issue have adopted the following is a possible approach for some people.


The way Profile Manager and pushing updates works is as follows (in simplified form)


  1. When an update is available Profile Manager will send a notification to Apple's Push Notification Servers
  2. Apple's Push Notification Servers then pass on that notification to the client devices, including the FQDN of the Profile Manager server, e.g. profile.domain.com
  3. The client device will then 'phone home' to that FQDN host name


Normally the FQDN will be pointing to a public IP address which can be used to either directly access the server or via port-forwarding, however if the client device is using an internal DNS server it could potentially point to the internal IP address of the server. If the client device is either already on the same internal network or has a route to it, then it will 'just work', however it would be possible to use VPN-on-Demand and have a trigger in place to automatically connect to the internal network (from outside) and then be able to talk directly to the server.

Reply

Profile manager need port 443/80 to distribute updates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up