An MDM Server is a ZENworks Primary Server with an MDM role, that acts as a gateway server and is the sole access point for managing mobile devices. To ensure that the ZENworks Server and the enrolled mobile devices can communicate with each other at all times, an MDM role must be assigned to at least one Primary Server in the zone. Apart from allowing devices to contact ZENworks, MDM Servers allow ZENworks to establish outbound connections to perform activities such as contact the push notification server to send relevant notifications to devices and manage VPP subscriptions. If the outbound connection is initiated from ZENworks Control Center (ZCC) whose ZENworks Server does not have outbound access, then this server will route these requests through one of the MDM Servers.
NOTE:If there are multiple MDM Servers in the zone, all these would be used for outbound connections, but inbound connections will be limited to those servers to which devices have enrolled.
Typically, MDM Servers must reside in the DMZ thereby allowing mobile devices to make inbound connections even when they are outside the firewall. Like other external-facing servers, the ZENworks MDM Server faces the Internet from within the DMZ. This lets the enterprise firewall protect the MDM Server from external attacks.
To enable both internal and external access to the MDM server, certain firewall ports must be open. The ZENworks MDM Server accepts inbound connections using HTTPS on port 443.
Apple Push Notification service: Both the MDM server and the iOS clients communicate with each other using the Apple Push Notification service (APNs). For outbound connections, the MDM server uses ports 2195 and 2196 to Apple’s 22.214.171.124/8 block, while clients use port 5223. Port 5223 must be open in the firewall to enable mobile devices to communicate with the Apple Push Notification service at all times.
Firebase Cloud Messaging: Both the MDM server and the Android clients communicate with each other using the Firebase Cloud Messaging (FCM) service. For outbound connections, open port 443 to connect to the FCM service from the MDM Server as well as the Android clients.