All port numbers listed are TCP unless UDP is specifically indicated. Many of the ports listed in this document are determined by the configuration of other services running in your environment or by a third party. Many connections are listed with encrypted and non-encrypted options. Jamf strongly recommends using encrypted connections.
Non-Jamf Pro ports could change at any time without Jamf's knowledge.
Network Connections to the Jamf Pro Server
A Jamf Pro server can be hosted on-premise (customer hosted) or hosted in Jamf Cloud. The following connections may be made inbound to the Jamf Pro server:
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
8443 or 443 | HTTPS | Connections to the Jamf Pro web app use HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. Note: HTTPS Interception (SSL Inspection) is not supported for connections to Jamf Pro. If client HTTPS traffic traverses a web proxy, you must disable HTTPS Interception for connections to Jamf Pro. | Managed computers or mobile devices, administrator workstations, and other services to the Jamf Pro server |
80/8080/443 | HTTP or HTTPS | Some advanced installations may include a load balancer or reverse proxy. In this case, the Jamf Pro server URL’s host name will resolve to the IP address of the proxy. If SSL is terminated at the proxy, traffic is forwarded to the Jamf Pro server over HTTP (typical ports are 80/8080). Or, traffic may be re-encrypted or passed using HTTPS (often over port 443. | Load balancer or proxy to the Jamf Pro server |
Connections from the Jamf Pro Server
The following outbound connections may be initiated by the Jamf Pro server:
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
3306 | MySQL | The Jamf Pro server connects to a MySQL database. | Jamf Pro server to MySQL database |
443/2197 | HTTPS | The Jamf Pro server uses Apple Push Notification service (APNs) to prompt managed devices to check in for mobile device management (MDM). Port 443 is used by default for the HTTP/2 connections. Port 2197 can be used only in on-premise environments. Note: Allow outbound connections to and redirects from Apple's 17.0.0.0/8 block over TCP port 5223 / 443 from all client networks and on port 2197, where applicable, from Jamf Pro servers to ensure APNs will function correctly on your network. | Jamf Pro server to Apple APNs 17/8 IP range |
443 | HTTPS | App Store app information can be retrieved from the App Store. | Jamf Pro server to Apple |
443 | HTTPS | The Jamf Pro server can integrate with Apple-hosted services such as Device Enrollment (formerly Device Enrollment Program), Volume Purchasing (formerly Volume Purchase Program), and Global Service Exchange (GSX). | Jamf Pro server to Apple |
443 | HTTPS | The Jamf Pro server can access hosted schema to populate Application & Custom Settings options. | Jamf Pro server to prod-custom-setting-schemas.s3.amazonaws.com |
443 | HTTPS | The Jamf Pro server can connect to Jamf-hosted utilities and services including:
| Jamf Pro server to *.jamfcloud.com and *.jamf.com |
443 | HTTPS | The Jamf Pro server connects to Jamf-hosted services via the Cloud Services connection. | Jamf Pro server to the following domains:
If you have an on-premise environment, you must safelist the following URLs:
|
80/443 | HTTP or HTTPS | The Jamf Pro server connects to Microsoft via the Microsoft Graph API if the connection between Jamf Pro and Microsoft Intune is configured. For more information, see the following documentation from Microsoft: Network endpoints for Microsoft Intune | Jamf Pro server to the following domains:
|
80/443 | HTTP or HTTPS | If you are deploying SCEP certificate configuration profiles with a dynamic challenge, or using Jamf Pro's SCEP proxy services, the Jamf Pro server connects to your SCEP Enrollment server to obtain an enrollment challenge password and/or retrieve generated certificates on behalf of managed devices. Note: In a clustered environment, requests related to the SCEP Proxy are handled by the web app that receives the request. Therefore, it is important that all web apps are able to communicate with the configured SCEP service. | Jamf Pro server to SCEP Enrollment server |
389/636 | LDAP, Start TLS, or LDAPS | Directory service integration via LDAP (389), LDAP over TLS (Start TLS/389) or LDAP over SSL (LDAPS/636) can be used for user authentication, device assignment, and user information and group membership lookups. Note: All Jamf Pro server LDAP connections will originate from the Jamf Pro server. For information about LDAP Proxy connections, see the "Jamf Infrastructure Manager – LDAP Proxy Connections" section in this document. | Jamf Pro server to LDAP/Domain controller |
25/465/587 | SMTP | Email integration via an SMTP gateway can be used for administrative notifications, user messaging, and enrollment invitations. The SMTP port depends on the service provider and type of encryption supported. Note: To help keep data and communications as secure as possible, port 25 is blocked in Jamf Cloud and cannot be opened. Port 25 can be used in on-premise environments. For Jamf Cloud environments, Jamf recommends using port 587 with TLS. | Jamf Pro server to SMTP gateway host |
514 | Syslog | Change Management logs can be written to log files and to a Syslog server. | Jamf Pro server to Syslog server |
443 | HTTPS | A cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service) can be used to host your software packages for distribution to managed clients. The Jamf Pro server connects to these services to perform initial configuration, to upload packages added via the Jamf Pro web app, and as needed to request content access tokens and URL signatures. | Jamf Pro server to cloud hosting provider |
443 | HTTPS | Jamf Pro can be configured to send webhook notifications for a variety of events (device enrollment, inventory updates, etc.) to support workflow automation and data integrations. | Jamf Pro server to event listener application server |
11211 | memcached | Memcached data access acceleration services can help reduce database load in multi-server Jamf Pro configurations. | Jamf Pro servers to Memcached servers |
443 | HTTPS | The Jamf Pro server connects to TeamViewer via TeamViewer API if connection between Jamf Pro and TeamViewer is configured. For more information, see TeamViewer Integration in the Jamf Pro Documentation | |
443 | HTTPS | The Jamf Pro on-premise proxy for non-government device compliance environments connects to Jamf-hosted services via the Cloud Services connection. | Jamf Pro server to https://registration.cloudconnector.services.jamfcloud.com |
443 | HTTPS | The Jamf Pro on-premise proxy for US Government (GCC High) device compliance environments connects to Jamf-hosted services via the Cloud Services connection. | Jamf Pro server to https://registration.cloudconnector.gov.services.jamfcloud.com/ |
Be sure to allow outbound connections to and redirects from Apple's 17.0.0.0/8 block over TCP port 5223 / 443 from all client networks and on ports 2195 and 2196 from Jamf Pro servers to make sure APNs will function correctly on your network.
Managed Computer and Mobile Device Connections
The following connections may be initiated from managed Mac computers and iOS devices:
| Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
8443/443 | HTTPS | Mac computers and iOS devices connect to the Jamf Pro server when:
| Managed devices to the Jamf Pro server |
5223/443 | APNs | The Jamf Pro server will send a message to the Apple Push Notification service when it has an MDM profile or command awaiting delivery to an enrolled device. Mac computers and iOS devices maintain a persistent connection to APNs when connected to a network so they will receive new notifications quickly. End user devices connect to APNs using port 5223 by default, but will fail over to port 443 when connecting via Wi-Fi. | Managed devices to APNs |
443 | HTTPS | Mac computers can download software packages from a cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service). | Managed computers to a cloud distribution point |
443 | HTTPS | iOS devices can download in-house apps and ebooks from the Jamf Cloud Distribution Service. | Managed mobile devices to JCDS |
80/443 | HTTP and HTTPS | Mac computers can download software packages from an HTTP and HTTPS server such as Apple macOS Server, Apache, and Microsoft IIS. | Managed computers to HTTP/HTTPS distribution point |
548 | AFP | Software packages can be downloaded by Mac computers from an Apple File Protocol (AFP) server. | Mac computers to AFP servers |
445/137–139 | SMB | Software packages can be distributed to Mac computers using a Windows SMB (CIFS) distribution point. | Managed computers to SMB servers |
80/443 | HTTP and HTTPS | The Apple ecosystem relies on many Internet-based systems maintained by Apple and their content distribution network (CDN). Examples include Apple Software Update, the App Store, Device Enrollment (formerly Device Enrollment Program), Volume Purchasing (formerly Volume Purchase Program). | Managed devices to Apple/CDN |
| 443 | HTTPS | Managed computers send crash logging and some anonymized usage statistics to Jamf's Sentry server. For more information, see the Sentry Crash Logging and Usage Analytics Integrations article. | Managed computers to sentry.pub.jamf.build |
| 5555/443 | HTTPS | Managed computers send screen recording information, file transfers, and keyboard/mouse events to the cloud services that enable Jamf Remote Assist. These backend services are hosted on *.jra.services.jamfcloud.com | Managed computers to Jamf Remote Assist |
443 | HTTPS | Computers connect to Jamf Cloud Services for App Installers application downloads. This connection occurs when an app is being updated or deployed for the first time via App Installers. | Managed computers to https://appinstallers-packages.services.jamfcloud.com |
Administrator Workstation Connections
The following connections may be initiated from administrator workstations:
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
8443/443 | HTTPS | Administrators perform management tasks by logging in to the Jamf Pro server using a web browser. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. | Administrator workstations to the Jamf Pro server |
| 443 | HTTPS | Administrators can initiate a Jamf Remote Assist session, send screen capture data, download files to the administrator's computer, and upload files to the end user's computer. | Administrator workstation to Jamf Remote Assist |
Single Sign-On Connections
To implement single sign-on in on-premise environments, two-way communication on TCP ports between the Identity Provider and Jamf Pro server is required.
Jamf Infrastructure Manager - LDAP Proxy Connections
The Jamf Infrastructure Manager is a managed environment that runs on your network to host utilities that facilitate the integration of the Jamf Pro server with your IT environment. One of these utilities, the LDAP Proxy, may be used to create an extra layer of separation between a Jamf Pro server and an LDAP directory service. Communication between the Jamf Infrastructure Manager and the LDAP server is encrypted when the Use SSL checkbox is selected in the Connection settings of your LDAP server in Jamf Pro. Communication between Jamf Pro 10.27.0 or later and Jamf Infrastructure Manager 2.2.0 or later is encrypted with mutual TLS (mTLS).
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
8443/443 | HTTPS | Jamf Infrastructure Manager instances connect to the Jamf Pro server when they are enrolled and periodically thereafter to confirm their operating status and retrieve updated settings. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. | Jamf Infrastructure Manager host to the Jamf Pro server |
8389/8636 | LDAP or LDAPS | All Jamf Pro LDAP lookups are sent via the Jamf Pro server. Jamf Pro can be configured to send LDAP queries to a Jamf Infrastructure Manager LDAP Proxy instance rather than directly to an LDAP host. The port on which the LDAP Proxy will listen for these incoming requests is configured when enrolling with the Jamf Pro server. On Linux, the port chosen should be at least 1024 because lower-numbered ports are reserved for more privileged services and users. Port 8389 might be chosen if running on LDAP, or port 8636 if running on LDAPS. | Jamf Pro server to the Jamf Infrastructure Manager host |
389/636 | LDAP or LDAPS | The LDAP Proxy service receives lookup requests from the Jamf Pro server and forwards them to the directory service you have configured in Jamf Pro's LDAP settings. LDAP typically runs on port 389. If you encrypt your LDAP communications (e.g., LDAP over SSL/LDAPS), port 636 is commonly used. Your directory services administrator can tell you which port is used in your environment. | Jamf Infrastructure Manager/LDAP Proxy to LDAP server/Domain controller |
8081 | HTTP | The LDAP Proxy service can expose this port to enable Healthcheck endpoint for verification of LDAP Proxy Server status. The default port is 8081 but can be changed by your administrator. | External service to Jamf Infrastructure Manager host |
If your Jamf Pro server is hosted on Jamf Cloud, you will need to permit inbound access to the Jamf Infrastructure Manager host from Jamf Cloud. A list of the source IP addresses for these connections is provided in the following article: Permitting Inbound/Outbound Traffic with Jamf.
Jamf Infrastructure Manager - Healthcare Listener Connections
The Healthcare Listener is a service that receives Admission/Discharge/Transfer (ADT) messages from a healthcare management system and sends a notification to the Jamf Pro server to trigger a remote command to the iOS device assigned to a patient room.
The Healthcare Listener is hosted by the Jamf Infrastructure Manager.
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
2575 | HL7 | 2575 is an assigned port that can be used for HL7 communications, but the Healthcare Listener can be configured to use any preferred port 1024 or greater. | HL7 interface to Jamf Infrastructure Manager host |
8443/443 | HTTPS | The Healthcare Listener informs the Jamf Pro Management Server when an action is needed on a device. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. | Jamf Infrastructure Manager host to the Jamf Pro server |
Jamf AD CS Connector Connections
Jamf Pro uses the Jamf AD CS Connector to communicate with AD CS to obtain certificates. This service securely transfers all communication between Jamf Pro and AD CS. For more information, see Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro.
Port | Protocol | Description | Connections Initiated |
|---|---|---|---|
443 | HTTPS | For inbound AD CS configurations, Jamf Pro sends certificate signing requests and retrieves completed certificates by opening a connection to the Jamf AD CS Connector on the port configured during installation, typically on TCP port 443. | Jamf Pro to Jamf AD CS Connector (inbound) |
8443/443 | HTTPS | For outbound configurations, the Jamf AD CS Connector retrieves certificate jobs and posts certificates to Jamf Pro via HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. | Jamf AD CS Connector to Jamf Pro (outbound) |
135 and 49152-65535 | DCOM | The Jamf AD CS Connector uses Microsoft Distributed Component Object Model (DCOM) to communicate with AD CS. | Jamf AD CS Connector to AD CS |
8443/443 | HTTPS | If your organization uses in-house apps developed with the Jamf Certificate SDK, connections to the Jamf Pro server will be via HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443. | Mobile device apps to the Jamf Pro server |