Category filter
Network Ports used by Hexnode UEM
This article explains the network ports used for connections with Hexnode or for integrating third-party services.
A port is a specific location through which information flows between various computers or networks. Hexnode uses several ports for enrolling and managing Android, Apple, and Windows devices. Make sure to keep these ports open for a full MDM feature implementation.
Following is the list of several ports needed for establishing connectivity between the various servers and components in Hexnode UEM.
Ports for Android devices
Communications for enrolling and managing Android devices use HTTPS on TCP 443. Hexnode uses standard FCM ports and services (Ports 5228, 5229, and 5230). The port 1883 (outbound) can be used for devices without FCM.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443/80 | Outbound | Android Devices |
|
Samsung Knox Enrollment |
| 443 | Outbound | Android Device | www.googleapis.com | Zero-touch Enrollment |
| 443 | Bidirectional | Android Device | Destination hosts mentioned in https://support.google.com/work/android/answer/10513641?hl=en | App Management |
| 443 | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 5228, 5229, 5230, 443 | Bidirectional | Android Devices | Hostnames mentioned in https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall | Receive push notifications via Firebase Cloud Messaging (FCM) |
| 1883, 8883 | Outbound | Android Devices |
|
Receive push notifications via MQTT. |
| 443 | Outbound | Android Devices |
|
Receive push notifications via Pushy. |
| 443, 3478 (TCP and UDP), 5349 (TCP) | Bidirectional | Android Devices |
|
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support. |
| 443 | Bidirectional | Android Devices |
|
Remote View Server |
Ports for Apple devices
Communications for enrolling and managing devices use HTTPS on TCP 443. Hexnode uses standard ports (TCP 2195 – outbound) to communicate with APNs (host address is gateway.push.apple.com). If the Apple devices are connected to the internet through Wi-Fi and fail to receive APNs notifications, there are chances that the firewall in your network blocks the outbound port 5223. Make sure that this port remains open to TCP traffic for notifications to work.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443 | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 443, 3478 (TCP and UDP), 5349 (TCP) | Bidirectional | iOS Devices |
|
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support. |
| 443 | Bidirectional | iOS Devices |
|
Remote View Server |
| 1883, 8883 | Outbound | macOS devices |
|
Receive push notifications via MQTT. |
| 5223 | Inbound | Apple Devices | 17.0.0.0/8 | Apple Push Notification service (APNs) for Apple devices. |
Ports for Windows devices
TCP port 443 is used in the case of the Windows Notification Service.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443 | Bidirectional | Windows Devices |
|
HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices. |
| 443 | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 1883, 8883 | Outbound | Windows devices |
|
Receive push notifications via MQTT. |
| 443 | Bidirectional | Windows devices |
|
Remote View Server |
Ports for Linux Devices
The following are the essential network ports and URLs that must be allowlisted in Netskope to ensure the Hexnode Linux Agent functions properly.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 443 | Bidirectional | Hexnode Cloud (i.e., provide your portal name) | Linux Devices | HTTPS port used for secure communication between the Hexnode server and enrolled Linux devices (/linux-server/ API polling and command delivery). |
| 443 | Outbound | Linux Enrollment Installer (CLI) | Hexnode Cloud (i.e., provide your portal name) | HTTPS port used during device enrollment (/check-auth/, /linux-enroll/, /linux-checkin/). Required for initial agent setup. |
| 443 | Outbound | Linux Devices | Amazon S3 endpoints corresponding to the specific Hexnode UEM portal’s region | HTTPS port used to download the Linux MDM agent binary, enterprise applications, scripts, and other portal-hosted files. |
| 443 | Outbound | Linux Devices | downloads.hexnode.com | HTTPS port used to download Linux feature components such as Remote View Assist, Live Terminal, and Web Content Filtering binaries. |
| 443 | Outbound | Linux Devices | Portal-supplied HTTPS download URL (any host) | HTTPS port used when the portal provides a custom download URL for enterprise apps, agent updates, scripts, or Web Content Filtering binaries. |
| 1883, 8883 | Outbound | Linux Devices | Hostnames listed under MQTT push servers above | MQTT port used to receive real-time push notifications and commands. If blocked, the agent uses HTTPS polling on port 443. |
| 443 | Outbound | Linux Devices | Live Terminal Server (portal-supplied liveTerminalUrl; see Live Terminal servers above) | HTTPS port used for Live Terminal Socket.IO sessions between the device and the Hexnode Live Terminal server (for example, beta-liveterminal.hexnode.com). |
| 443 | Bidirectional | Linux Devices | Remote View Server (portal-supplied remoteViewUrl; see Remote View servers above) | HTTPS port used for Remote View and Remote Control session signaling and data exchange. |
| 443 | Outbound | Linux Devices (Remote View Assist) | http://www.hexnode.com | HTTPS port used to load EULA, privacy policy, terms, and support links in the Remote View client. |
| 443 | Outbound | Linux Devices (Hexnode Access deployments) | Hexnode Cloud (i.e., provide your portal name) | HTTPS port used to download portal assets such as favicon images for Hexnode Access kiosk login (/media/img/favicon.png). |
| 443 | Outbound | Linux Devices (optional — Location tracking) | ipinfo.io | HTTPS port used for IP-based geolocation lookup. |
| 443 | Outbound | Linux Devices (optional — Location tracking) | nominatim.openstreetmap.org | HTTPS port used for reverse geocoding of device coordinates. |
| 443 | Outbound | Linux Devices (optional — Real-time location) | location.services.mozilla.com | HTTPS port used for Wi-Fi-based geolocation. |
| 80 | Outbound | Linux Devices (optional — Real-time location) | ip-api.com | HTTP port used as a fallback for IP-based location lookup. |
| 53 | Outbound | Linux Devices (Web Content Filtering enabled) | 1.1.1.1 | UDP port used by the Hexnode DNS filter service for upstream DNS resolution. |
| 53 | Inbound (local loopback) | Linux Devices (Web Content Filtering enabled) | 127.0.0.1 | UDP port used by the local Hexnode DNS filter listener on the device. Applications on the device resolve DNS through this local service when Web Content Filtering is active. |
| 22 | Inbound (local loopback) | Linux Devices (Live Terminal session active) | 127.0.0.1 | TCP port used for the local SSH connection between the Live Terminal client and the device SSH server during an active Live Terminal session. |
| – | Local (Unix domain socket) | Hexnode Access UI Agent and Linux MDM Agent | /run/mdm_agent/agent.sock, /run/mdm_agent/agent_gui.sock | Local inter-process communication between the UI Agent and MDM Agent on the device. Not an external network connection. |