Last Updated: May 15, 2025
Chances are your devices are behind some sort of firewall. For your devices to communicate with Esper, you’ll need to allow the following URLs and ports.
If you’re setting up your firewall for Esper, chances are you’re new to Esper. We’ve put together a Getting Started checklist for you. Whether you’re new to Esper firewalls or you’ve been using them for a while, use this page as a reference for our latest firewall information.
In this article:
- Preparing the Firewall Allowlist
- Rules for All Devices
- Rules for Google Mobile Services (GMS) Devices
- Rules for Non-GMS Devices
- Rules for iOS Devices
- Rules for Foundation Devices
- Glossary of Terms
Preparing the Firewall Allowlist
Identify your Devices
To get started, you’ll need to identify the types of devices you’ll use:
- GMS or Google Mobile Services devices
- Non-GMS, AOSP or Android Open Source Project devices
- iOS devices
- Foundation devices
- Or a combination of these
Find Your Tenant Name
Then, locate your tenant name. Your tenant name appears in the URL for the Esper console: https://{tenant-name}.esper.cloud/
Find Your Esper Agent Version
Some firewall rules may require a specific Esper Agent version. Learn how to check the Esper Agent version on your device.
Learn About Our Features
Lastly, learn more about the features you’ll be enabling for some of these firewalls. Links are included to learn more about the feature.
To learn more about firewall terms, see the glossary at the bottom of this page.
- All firewall rules are outbound.
- HTTPS ports are encrypted.
- If your fleet uses GMS devices, see Android's network requirements as well.
All DevicesThese firewall rules will generally apply to all device types. For general Android requirements, see Android's network requirements. |
|||
| FQDN | Wildcard | Port | Feature |
| *.amazonaws.com | *.amazonaws.com |
TCP: 443 (HTTPS)
|
For provisioning, app management, and device management. Note: Contact Esper if you want to replace *.amazonaws.com with our streamer service. After streamer setup, your new requirement will be: Learn more about our enable it in You may need to enable proxy access through your router as well. |
| mqtt.shoonyacloud.com | *.shoonyacloud.com | TCP: 1883 (MQTT) | For MQTT communication with devices. |
| services.shoonyacloud.com | TCP: 443 (HTTPS) | For Android for Work (AFW) and Zero Touch Enrollment (ZTE) provisioning and Remote Viewer APK. | |
| turn.shoonyacloud.com |
TCP/UDP: 3478 (SCTP) TCP/UDP: 5349 (SCTP) UDP: 49152 - 65535 |
For Remote Viewer and Remote Control services. | |
| authn2.esper.cloud | *.esper.cloud |
TCP: 443 (HTTPS) | For Single Sign-on (SSO). |
| id.esper.cloud | TCP: 443 (HTTPS) | For Single Sign-on (SSO). | |
| ping.esper.cloud | Port 443 (HTTPS) | For checking the device's internet connectivity. Note: For Esper Agent versions 7.12.3767 and above. |
|
| [customer tenant].esper.cloud | TCP: 443 (HTTPS) | For granting access to the Esper Console when operating under a network with a restricted outbound firewall. | |
| [customer tenant]-api.esper.cloud | TCP: 443 (HTTPS) | For communicating from the device to the Esper tenant. (example: device status events and command success/failure messages). | |
| queue.esper.cloud | TCP: 443 (HTTPS) | For MQTT communication to devices for commands (with TLS). | |
| statserv.esper.cloud | TCP: 443 (HTTPS) | For sending deployment stats and provisioning failures to Esper monitoring systems. | |
| onboarding.esper.cloud | TCP: 443 (HTTPS) |
For device onboarding. Note: For Esper Agent versions 7.14.0931 and above. If not listed, defaults to services.shoonyacloud.com. |
|
| eea-sentry.esper.cloud | TCP: 443 | For sending telemetry data to Sentry. | |
| remoteviewer.esper.cloud |
TCP/UDP: 3478 (SCTP), TCP/UDP: 5349 (SCTP), UDP: 49152 - 65535 |
For Remote Viewer and Remote Control services. | |
| remoteaccess.esper.cloud | TCP: 40000-50000 | This is to allow secure remote ADB access to your devices and the Esper CLI. | |
| 13.52.132.230 | TCP: 40000-50000 | This is to allow secure remote ADB access to your devices and the Esper CLI. | |
| downloads.esper.io | *.esper.io | TCP: 443 (HTTPS) | For standalone Esper Agent updates. |
|
shoonya-firebase.firebaseio.com *.crashlytics.com crashlyticsreports-pa.googleapis.com firebasecrashlyticssymbols.googleapis.com |
*.firebaseio.com *.crashlytics.com *.googleapis.com |
TCP: 443 (HTTPS) TCP: 5228 (HTTPS) TCP: 5229 (HTTPS) TCP: 5230 (HTTPS) |
For Firebase/Crashlytics. Used to send crash reports. |
| 8.8.8.8 | 8.8.8.8 | TCP: 443 (HTTPS) |
For checking the device's internet connectivity.
Note: For Esper Agent versions lower than 7.12.3767 and greater than 7.8.7060. |
|
Only applicable for certain situations or customers |
|||
| mqtt-telemetry-prod.esper.cloud | *.esper.cloud | TCP: 1883 | For customers who want access to Quantum Telemetry and for MQTT communication to devices for commands (with TLS). |
|
*.gstatic.com *.googleapis.com www.google.com |
N/A | TCP: 443 (HTTPS) | For 6-tap QR Code provisioning. |
|
android.clients.google.com clients2.google.com dl.google.com accounts.google.com play.google.com *.googleusercontent.com *.googletagmanager.com |
N/A | TCP: 443 (HTTPS) | For Android for Work (AFW) provisioning. |
| clients3.google.com/generate_204 | N/A | Port 443 (HTTPS) |
For checking the device's internet connectivity. Note: Only required for devices running Esper Agent version 7.8.7060 and below. |
Google Mobile Services (GMS) DevicesThese firewall rules will generally apply to devices using Google Mobile Services. If your devices install apps through the Google Play Store, or have the capability to do so, you should apply these rules. You'll also need to apply the rules in the All Devices section.
|
|||
|
dpcdownloads.esper.cloud |
*.esper.cloud | TCP: 443 (HTTPS) |
For the 6-tap QR code provisioning method and Remote Viewer APK.
|
|
firebaseinstallations.googleapis.com fcm.googleapis.com |
*.googleapis.com |
TCP: 443 (HTTPS) TCP: 5228 (HTTPS) TCP: 5229 (HTTPS) TCP: 5230 (HTTPS) |
For sending commands, sending pings, and map services. For a full list of map services, see Google Maps Domains. |
| time.google.com | N/A | UDP: 123 (NTP) | For actively synchronizing the device's time. |
Non-GMS DevicesIf you have Non-GMS, also known as Android Open Source Project or AOSP devices, you should apply this rule. You'll also need to apply the rules in the All Devices section. |
|||
|
dpcdownloads.esper.cloud |
*.esper.cloud | TCP: 443 (HTTPS) |
For 6-tap QR code provisioning method and Remote Viewer APK.
|
iOS DevicesAdditional setup may be required. See Apple's documentation for more information. |
|||
| ppq.apple.com | *.apple.com | TCP: 443 (HTTPS) |
Verifies Esper software installed on the device with Apple. |
| *.push.apple.com | TCP: 443, 80, 5223, 2197 |
Allows the device to receive push notifications from Apple. |
|
| deviceenrollment.apple.com | TCP: 443 (HTTPS) |
Allows DEP provisional enrollment. |
|
| deviceservices-external.apple.com | TCP: 443 (HTTPS) |
Allows Apple’s external services that devices use for MDM functionality. |
|
| gdmf.apple.com | TCP: 443 (HTTPS) |
Used to identify which software updates are available for devices that use managed software updates. |
|
| identity.apple.com | TCP: 443 (HTTPS) |
Used to create APNs for the Esper console. |
|
| iprofiles.apple.com | TCP: 443 (HTTPS) |
Used for enrollment profiles for ABM (Apple Business Manager). |
|
| mdmenrollment.apple.com | TCP: 443 (HTTPS) |
Used to upload enrollment profiles for ABM and used to look up devices and accounts. |
|
| setup.icloud.com | TCP: 443 (HTTPS) |
Required to log in with a Managed Apple ID |
|
| vpp.itunes.apple.com | TCP: 443 (HTTPS) |
Used to perform operations related to Apps and Books, such as assigning or revoking licenses on a device |
|
| *.appattest.apple.com | TCP: 443 (HTTPS) |
Used for Managed device attestation. |
|
Linux DevicesThe Linux device experience is currently in beta. You'll also need to apply the rules in the All Devices section. |
|||
| artifacthub.esper.cloud | *.esper.cloud | TCP: 443 (HTTPS) |
|
Foundation DevicesIf you have devices that run Foundation, you should apply these rules. You'll also need to apply the rules in the All Devices section.
|
|||
| time.google.com | N/A | UDP: 123 (NTP) | For actively synchronizing the device's time. |
| ip-api.com | ip-api.com | TCP: 80 (HTTP) | For using devices to automatically retrieve the timezone. |
| eea-services.esper.cloud | *.esper.cloud |
TCP: 443 (HTTPS) | To enable Foundation Automatic Updates. |
| ota.esper.cloud | TCP: 443 (HTTPS) | For downloading Foundation updates over the air. | |
Glossary of Terms
| Term | Definition |
| Communication Channels | Customers interact with their devices by sending commands using the Esper Console or APIs. In either case, all communication to their devices is routed via one of four communication channels that a device can use. These channels are:
|
| FQDN (Fully Qualified Domain Name) | A complete domain name that specifies the exact location of a resource in a hierarchical DNS (Domain Name System) structure. |
| HTTP (Hypertext Transfer Protocol) | A protocol used for transmitting and receiving hypertext documents on the World Wide Web. HTTP is the foundation of data communication on the internet and defines how web browsers and servers interact. |
| HTTPS | Hypertext Transfer Protocol Secure. A secure version of HTTP that uses encryption to protect the data transmitted between a web browser and a web server. |
| MQTT | Message Queuing Telemetry Transport. A lightweight publish-subscribe messaging protocol designed for low-bandwidth, high-latency, or unreliable networks. MQTT is commonly used in IoT (Internet of Things). |
| NTP | Network Time Protocol. A protocol used to synchronize the clocks of systems on a network. NTP ensures that all systems have accurate and synchronized time. |
| SCTP | Stream Control Transmission Protocol. A transport layer protocol that combines some of the features of both TCP and UDP. SCTP offers reliable, ordered, and multiplexed data transmission with congestion control and error detection. |
| SNTP | Simple Network Time Protocol. A simplified version of NTP that provides basic time synchronization capabilities. SNTP is often used in situations where high accuracy is not critical. |
| SSL | Secure Sockets Layer. A cryptographic protocol is used to establish secure and encrypted connections between a client and a server. |
| Stack | A stack is a physically isolated infrastructure that can be used to create multiple customer Tenants. All customer Tenants in a stack share the same computing and storage resources. |
| TCP | Transmission Control Protocol. A connection-oriented communication protocol that provides reliable and ordered data delivery between two systems over a network. |
| Tenant | This is the URL that customers use to access their Console in the browser. It’s usually formatted <customer-name>.esper.cloud (e.g., customereducation.esper.cloud). |
| Tenant API (or Esper API) |
This is a programmatic way of using all the features provided by the console using HTTP calls. A tenant API is formatted https://<customer>-api.esper.cloud (e.g., customereducation-api.esper.cloud). The console also uses this API to retrieve data. It's also used to push periodic updates to registered devices in the tenant. |
| UDP | User Datagram Protocol. A connectionless communication protocol that provides faster, but less reliable, data transmission compared to TCP. |
| Wildcard | An FQDN that can stand in for other FQDNs. It allows all variations of the subdomain. For example, the FQDN wildcard *.esper.cloud would allow dpcdownloads.esper.cloud, ping.esper.cloud, mqtt.esper.cloud, etc. |