How to configure special settings?
In order to use TinyMDM on devices connected to a network protected by a firewall, some settings are necessary. Indeed, our application uses Google’s FCM notification system, like most Android apps.
Here are the different proxy settings recommended by Google to make FCM notifications work: Ports 5228, 5229, 5230 and 7275 must be added to the unrestricted IP whitelist. However, if you need to set up an IP restriction, you must also whitelist all the IP addresses of the IPv4 and IPv6 blocks listed in Google’s 15169 ASN (available here).
For more info, see this link and this link to Google’s original documentation.
| Destination Host | Protocols/Ports |
|---|---|
| www.tinymdm.net | TCP/443 |
| play.google.com android.com google-analytics.com googleusercontent.com *gstatic.com *.gvt1.com *.ggpht.com dl.google.com dl-ssl.google.com android.clients.google.com *.gvt2.com *.gvt3.com | TCP/443 TCP, UDP/5228-5230 |
| *.googleapis.com m.google.com | TCP/443 |
| accounts.google.com accounts.google.[country] accounts.google.[pays] | TCP/443 |
| gcm-http.googleapis.com gcm-xmpp.googleapis.com android.googleapis.com | TCP/443,5228-5230 |
| fcm.googleapis.com fcm-xmpp.googleapis.com firebaseinstallations.googleapis.com | TCP/443,5228–5230 |
| fcm-xmpp.googleapis.com gcm-xmpp.googleapis.com | TCP/5235,5236 |
| pki.google.com clients1.google.com | TCP/443 |
| clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com | TCP/443 |
| android.clients.google.com | TCP/443 |
| ota.googlezip.net ota-cache1.googlezip.net ota-cache2.googlezip.net ota-cache3.googlezip.net | TCP/443 |
| connectivitycheck.android.com connectivitycheck.gstatic.com www.google.com | TCP/443 |
| chromiumdash.appspot.com | TCP/443 |
| android.apis.google.com | TCP/443 |
| mtalk.google.com mtalk4.google.com mtalk-staging.google.com mtalk-dev.google.com alt1-mtalk.google.com alt2-mtalk.google.com alt3-mtalk.google.com alt4-mtalk.google.com alt5-mtalk.google.com alt6-mtalk.google.com alt7-mtalk.google.com alt8-mtalk.google.com android.apis.google.com device-provisioning.googleapis.com | TCP/443,5228-5230 |
| time.google.com | UDP/123 |
| android-safebrowsing.google.com safebrowsing.google.com | TCP/443 |
To use the remote view/control feature:
In addition to allowing the accesses regularly used by the various Google services (mentioned above), you need to authorize the following domains/ports:
| Destination Host | Protocols/Ports |
|---|---|
| kinesisvideo.eu-west-1.amazonaws.com | TCP/443 |
| r-d1721414.kinesisvideo.eu-west-1.amazonaws.com | TCP/443 |
| v-45d61471.kinesisvideo.eu-west-1.amazonaws.com | TCP/443 |
| m-214cdd09.kinesisvideo.eu-west-1.amazonaws.com | TCP/443 |
| turn.tinymdm.net | TCP/443 UDP/443 |
| android.clients.google.com | TCP/443 |
| ota.googlezip.net ota-cache1.googlezip.net ota-cache2.googlezip.net | TCP/443 |