Using Iru on Enterprise Networks

Some organizations may create Enrollment Only networks or put Proxies in place to limit access to the public internet. In these situations, it is important to ensure that your Apple, Windows, and Android devices can communicate with platform services and Iru to complete enrollment and management tasks.

When creating firewall rules for these ports, outbound traffic will need to be allowed.

Global Web App Access

Regardless of region, all Iru tenants access the web app through a single global domain: subdomain.iru.com.

The region-specific tables below also list subdomain.kandji.io and subdomain.eu.kandji.io as web app access domains. These are legacy hostnames that route to the same Iru service.

Your data remains isolated within its assigned region. When the app loads, a lookup is performed against a globally available service (the Identity Service) to determine your tenant’s region. All subsequent API calls are then routed to region-specific load balancers accordingly. For details on signing in and accessing your tenant, see Getting Started.

Required Domains & Ports

Domains Shared Across All Regions

The following domains are required for all tenants regardless of region:

Domain	Ports	Protocol	OS	Description
`browser-intake-datadoghq.com`	443	TCP	All	Used for release management and platform monitoring
`events.launchdarkly.com`	443	TCP	All	Used for release management and platform monitoring
`updater.iru.com`	443	TCP	All	Used for Iru Access downloads and updates
`*.c.lencr.org`	443	TCP	All	Used for Let’s Encrypt certificate validation via Certificate Revocation Lists (CRLs).

Region-Specific Domains

US Region
EU Region

US-Hosted Region Domains

Domain	Ports	Protocol	OS	Description
`UUID.web-api.kandji.ioUUID.devices.us-1.kandji.io`	443	TCP	All	Used for MDM Check-In and Iru Agent communication. Replace UUID with your tenant’s value. See Determine your unique device domains for how to find your UUID and domains.
`kandji-prd.s3.amazonaws.com`	443	TCP	macOS	Used by macOS devices to download the Iru Agent & Custom Apps uploaded to your Iru tenant
`iru-prd-managed-library-items.s3.amazonaws.com`	443	TCP	macOS	Used by macOS devices to download Auto Apps
`managed-library.kandji.io`	443	TCP	macOS	Used by macOS devices to download Auto Apps
`subdomain.web-api.kandji.io`	443	TCP	All	Used to download Mobile Device Management (MDM) Enrollment Profile
`subdomain.kandji.iosubdomain.iru.com`	443	TCP	All	Used to access the Iru web app
`subdomain.gateway.kandji.iosubdomain.gateway.iru.com`	443	TCP	All	Used by Iru web app to access Iru APIs.
`*.iot.kandji.io`	443	TCP	All	Used for device telemetry communications
`windows-agent.kandji.io`	443	TCP	Windows	Used to install and upgrade the Iru Agent on Windows
`subdomain.id.iru.comsubdomain.id.connect.iru.comsubdomain.id.devices.iru.comsubdomain.id.gateway.iru.com`	443	TCP	All	Access point for the Iru Identity API service serving US tenants. Within the Iru web app, it is used universally across all tenants, independent of Iru Workforce Identity licensing

EU-Hosted Region Domains

Domain	Ports	Protocol	OS	Description
`UUID.web-api.eu.kandji.ioUUID.devices.eu.kandji.io`	443	TCP	All	Used for MDM Check-In and Iru Agent communication. Replace UUID with your tenant’s value. See Determine your unique device domains for how to find your UUID and domains.
`kandji-prd-eu.s3.amazonaws.com`	443	TCP	macOS	Used by macOS devices to download the Iru Agent & Custom Apps uploaded to your Iru tenant
`iru-prd-eu-managed-library-items.s3.amazonaws.com`	443	TCP	macOS	Used by macOS devices to download Auto Apps
`managed-library.eu.kandji.io`	443	TCP	macOS	Used by macOS devices to download Auto Apps
`subdomain.web-api.eu.kandji.io`	443	TCP	All	Used to download Mobile Device Management (MDM) Enrollment Profile
`subdomain.eu.kandji.iosubdomain.iru.com`	443	TCP	All	Used to access the Iru web app
`subdomain.gateway.eu.kandji.iosubdomain.gateway.eu.iru.com`	443	TCP	All	Used by Iru web app to access Iru APIs.
`*.iot.eu.kandji.io`	443	TCP	All	Used for device telemetry communications
`windows-agent.eu.kandji.io`	443	TCP	Windows	Used to install and upgrade the Iru Agent on Windows
`subdomain.id.iru.comsubdomain.id.eu.iru.comsubdomain.id.connect.iru.comsubdomain.id.connect.eu.iru.comsubdomain.id.devices.eu.iru.comsubdomain.id.gateway.eu.iru.com`	443	TCP	All	Access point for the Iru Identity API service serving EU tenants. Within the Iru web app, it is used universally across all tenants, independent of Iru Workforce Identity licensing. The US id domain is used as a global lookup service to know which region your tenant belongs to, and forward all further traffic to the EU api region.

AD CS Integration Network Requirements

If you use the Active Directory Certificate Services integration, allow these network paths for AD CS Connector setup and certificate request flow. For full integration context, see AD CS Integration: Overview.

The updated AD CS Connector uses Iru sign-in and registration URL approval in the Iru Endpoint web app. It does not use Auth0. Use the Updated AD CS Connector table for standard allowlists (Iru tenant, Iru tenant API, Iru Identity, adcsconn, and internal AD CS CA traffic as listed). Include your Iru web app and any additional Iru Identity destinations from elsewhere in this article where those rows apply to your tenant. If any Windows servers still run the legacy connector during migration, also allow the destinations in the Legacy AD CS Connector table until those hosts are upgraded and the legacy connector is removed from Iru Endpoint.

Updated AD CS Connector

Source	Destination	Destination domains	Port	Protocol	Description
AD CS Connector	Iru tenant	`subdomain.iru.comsubdomain.kandji.iosubdomain.eu.kandji.io`	443	TCP	Used during initial connector setup for Iru sign-in and registration URL approval in the Iru Endpoint web app
AD CS Connector	Iru tenant API	`subdomain.gateway.iru.comsubdomain.gateway.eu.iru.comsubdomain.gateway.kandji.iosubdomain.gateway.eu.kandji.iosubdomain.clients.us-1.kandji.iosubdomain.clients.eu.kandji.io`	443	TCP	Used for API communication between the AD CS Connector and your tenant. Replace subdomain with your tenant subdomain. Gateway hostnames match Region-specific domains. Clients rows are tenant-scoped client API hosts: `subdomain.clients.us-1.kandji.io` for US Region tenants and `subdomain.clients.eu.kandji.io` for EU Region tenants (same regional split as the tabs above).
AD CS Connector	Iru Identity	`subdomain.id.iru.comsubdomain.id.eu.iru.com`	443	TCP	Used for Iru Identity during sign-in and token flows for the updated connector
AD CS Connector	AD CS connector service	`adcsconn.kandji.io` `adcsconn.eu.kandji.io`	443	TCP	WebSocket over TCP. Used to facilitate certificate requests between the AD CS Connector and the customer tenant
AD CS Connector	Windows AD CS CA server(s) in your environment	Internal AD CS CA server FQDN(s)	135 + dynamic RPC range	TCP	Microsoft DCE/RPC between the connector and issuing CAs when processing certificate requests

Microsoft RPC is not a single fixed high port. Allow TCP 135 (RPC Endpoint Mapper) to each issuing CA FQDN, and the Windows dynamic RPC port range each CA host uses, often the range shown as RPC Dynamic Ports in Windows Defender Firewall with Advanced Security on the certificate server. Confirm the range on every issuing CA and mirror it in your firewall or proxy rules. For background, see Configure RPC dynamic port allocation with firewalls on Microsoft Learn.

Legacy AD CS Connector (migration only)

Allow these destinations only while at least one Windows server still runs the legacy connector (Auth0-based WebView sign-in during setup). When every connector uses the updated flow from Iru, remove these allowlist rows.

Source	Destination	Destination domains	Port	Protocol	Description
AD CS Connector	Auth0	`*.auth0.com`	443	TCP	Legacy connector only. Multiple subdomains used for initial WebView authentication during connector setup
AD CS Connector	Auth0	`auth.kandji.io` `auth.eu.kandji.io`	443	TCP	Legacy connector only. Used when authenticating the AD CS Connector during setup and WebSocket initialization

Determine Your Unique Device Domains

Your unique device domains are used by enrolled devices to communicate with Iru via the MDM protocol and the Iru Agent. US region examples:

UUID.web-api.kandji.io
UUID.devices.us-1.kandji.io

EU region examples:

UUID.web-api.eu.kandji.io
UUID.devices.eu.kandji.io

The UUID is unique to your tenant. You can view your tenant’s domains by logging into your tenant and following these steps:

Open Organization

Click your name at the bottom of the left navigation, then select Organization.

View Device Domains

Under Endpoint, you will see the Device Domains panel. These two domains are used by devices for MDM and Agent communication.

Find Device Domain on a Mac

To determine the specific domain being used by an individual Mac computer, run the following command in Terminal:

Terminal

system_profiler SPConfigurationProfileDataType | awk -v FS='(https://|/mdm)' '/CheckInURL/ {print $2}'

SSL/TLS Inspection

The macOS Iru Agent leverages a common best practice of certificate pinning to ensure that it will only communicate with trusted servers and prevent its traffic from being intercepted and inspected (MITM attack prevention). This may pose a challenge if your network or proxy administrator is decrypting all SSL/TLS traffic by default. Please ask your network administrator to exempt the 2 device domains in your tenant from inspection.

Please note that even if you deploy your content filter’s CA as a trusted root CA to your macOS devices, SSL/TLS inspection will still cause the Iru Agent to not communicate with Iru.

Platform-Specific Network Requirements

Apple
Windows
Android

Apple Required Hosts & Ports

Apple devices require access to various Apple services for proper enrollment and management. For comprehensive Apple network requirements, refer to Apple’s official guide: Configure devices to work with APNs.

Destination Host	Ports	Purpose
Apple network (`17.0.0.0/8`)	TCP/443	Device activation and fallback if devices can’t reach APNs on port 5223
Apple network (`17.0.0.0/8`)	TCP/5223	Primary communication with Apple Push Notification service (APNs)
Apple network (`17.0.0.0/8`)	TCP/443 or 2197	Send notifications from device management service to APNs

Windows Required Hosts & Ports

Windows devices require access to Microsoft services for proper enrollment and management:

Destination Host	Ports	Purpose
`.notify.windows.com.wns.windows.comlogin.microsoftonline.comlogin.live.com`	TCP/443	Required for Windows Push Notification Services (WNS). For detailed configuration requirements, see Microsoft’s WNS firewall allowlist documentation

Additional URLs may be required for Windows-specific features to function properly. For a comprehensive list of Windows endpoints, refer to Microsoft’s Windows 11 endpoints documentation for non-enterprise editions or Microsoft’s Windows 11 endpoints documentation for enterprise editions.

Android Required Hosts & Ports

Android devices require access to Google services for proper enrollment and management. For comprehensive Android network requirements, refer to Google’s Android Enterprise network requirements.

Destination Host	Ports	Purpose
`play.google.comandroid.comgoogle-analytics.comgoogleusercontent.com.gstatic.com.gvt1.com.ggpht.comdl.google.comdl-ssl.google.comandroid.apis.google.com.gvt2.com*.gvt3.com`	TCP/443 TCP, UDP/5228-5230	Google Play and updates, app downloads, and Play Store APIs
`*.googleapis.comm.google.com`	TCP/443	EMM/Google APIs/PlayStore APIs/Android Management APIs
`accounts.google.comaccounts.google.[country]`	TCP/443	Authentication (use your local top-level domain for [country])
`gcm-http.googleapis.comgcm-xmpp.googleapis.comandroid.googleapis.com`	TCP/443, 5228-5230	Google Cloud Messaging for EMM Console ↔ DPC communication
`fcm.googleapis.comfcm-xmpp.googleapis.comfirebaseinstallations.googleapis.com`	TCP/443, 5228-5230	Firebase Cloud Messaging for Find Hub and EMM Console ↔ DPC communication
`connectivitycheck.android.comconnectivitycheck.gstatic.comwww.google.com`	TCP/443	Android OS connectivity checks for Wi-Fi/Mobile network connections
`mtalk.google.commtalk4.google.comalt1-mtalk.google.comalt2-mtalk.google.comalt3-mtalk.google.comalt4-mtalk.google.comalt5-mtalk.google.comalt6-mtalk.google.comalt7-mtalk.google.comalt8-mtalk.google.comandroid.apis.google.comdevice-provisioning.googleapis.com`	TCP/443, 5228-5230	FCM connectivity for devices behind organizational firewalls
`time.google.com`	UDP/123	NTP server access required during device provisioning

TLS Versions and Cipher Suites

Per Apple’s Platform Security guide, built-in apps and services on macOS, iOS, tvOS, and iPadOS devices will automatically prefer cipher suites with perfect forward secrecy. This is also true in the case where a developer uses a high-level networking API such as CFNetwork. The Iru Agent leverages these high-level networking APIs. We encourage you to read Apple’s Platform Security Guide to better understand these features, especially the TLS network security section, which can be found here. The domains used for MDM and Iru Agent communication are unique to your tenant. See Determine Your Unique Device Domains for how to find yours. You can inspect your tenant’s domains using a tool such as Qualys SSL Server Test to understand which ciphers are currently supported by Iru.

Supported TLS Protocols

Iru supports the following TLS protocol versions:

Protocol	Supported	Notes
TLS 1.2	Yes	Server negotiated using No-SNI
TLS 1.1	Yes
TLS 1.0	Yes	Server negotiated using No-SNI
TLS 1.3	No
SSL 3	No
SSL 2	No

Cipher Suites

TLS 1.2 in server preferred order

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA

TLS 1.1 in server preferred order

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLS 1.0 in server preferred order

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

​Global Web App Access

​Required Domains & Ports

​Domains Shared Across All Regions

​Region-Specific Domains

​US-Hosted Region Domains

​EU-Hosted Region Domains

​AD CS Integration Network Requirements

​Updated AD CS Connector

​Legacy AD CS Connector (migration only)

​Determine Your Unique Device Domains

​Find Device Domain on a Mac

​SSL/TLS Inspection

​Platform-Specific Network Requirements

​Apple Required Hosts & Ports

​Windows Required Hosts & Ports

​Android Required Hosts & Ports

​TLS Versions and Cipher Suites

​Supported TLS Protocols

​Cipher Suites

Global Web App Access

Required Domains & Ports

Domains Shared Across All Regions

Region-Specific Domains

US-Hosted Region Domains

EU-Hosted Region Domains

AD CS Integration Network Requirements

Updated AD CS Connector

Legacy AD CS Connector (migration only)

Determine Your Unique Device Domains

Find Device Domain on a Mac

SSL/TLS Inspection

Platform-Specific Network Requirements

Apple Required Hosts & Ports

Windows Required Hosts & Ports

Android Required Hosts & Ports

TLS Versions and Cipher Suites

Supported TLS Protocols

Cipher Suites