Q: Profile manager need port 443/80 to distribute updates
I'm trying to setup profile manager to be able to send updates to iOS and Mac users off our local network without opening access to server webpages. I have ports opened and forwarding through our firewall: 2195,2196,5223, and 1640. However, clients can not receive updates unless port 443 or 80 is also opened and forwarded. This would be fine, however I don't want the whole world to be able to access or hack my internal webpages or potentially hack into the Profile Manager web interface remotely. If I restrict web server access to only private networks I loose the ability to push out configuration updates or remote locks or wipes of iOS devices. Is there a way to allow configuration updates and commands to be pushed without opening up the web interface or other websites located on the server?
Thanks
| Port | TCP/UDP | Description |
|---|---|---|
| 2195, 2196 | TCP | Used by Profile Manager to send push notifications |
| 5223 | TCP | Used to maintain a persistent connection to APNs and receive push notifications |
| 80/443 | TCP | Provides access to the web interface for Profile Manager admin |
| 1640 | TCP | Enrollment access to the Certificate Authority |
Posted on Apr 16, 2015 10:49 PM
I'm having the same problem. The best I've come up with is modifying the apache configuration so that only the necessary pages are available. I don't think it will work without this minimum access to 443.
Here's how I've locked it down:
1. Create a file in /Library/Server/Web/Config/apache2/other/ that ends with .conf. I named mine localsecurity.conf
2. Populate the file with the following info:
#sets security on the document root. it works on both 80 and 443.
<Directory />
Order deny,allow
Deny from all
Allow from 10.10.10 #change this to match your LAN
</Directory>
#opens up the management api for profile manager to interact with devices
<Location /devicemanagement>
Order deny,allow
Allow from all
</Location>
3. Restart Websites in the server app.
Posted on Apr 24, 2015 7:40 AM