Skip to main content
Some organizations may create Enrollment Only networks or put Proxies in place to limit access to the public internet. In these situations, it is important to ensure that your Apple, Windows, and Android devices can communicate with platform services and Iru to complete enrollment and management tasks.
When creating firewall rules for these ports, outbound traffic will need to be allowed.
Global Web App Access: Regardless of region, all Iru tenants access the web app through a single global domain: subdomain.iru.comYour data remains isolated within its assigned region. When the app loads, a lookup is performed against a globally available service (the Identity Service) to determine your tenant’s region. All subsequent API calls are then routed to region-specific load balancers accordingly.

Required Domains & Ports

  • US Region
  • EU Region

US-hosted Region Domains

DomainPortsProtocolOSDescription
kandji-prd.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download the Kandji Agent & Custom Apps uploaded to your Iru tenant
iru-prd-managed-library-items.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download Auto Apps
managed-library.kandji.io
managed-library.iru.com		443TCPmacOSUsed by macOS devices to download Auto Apps
UUID.web-api.kandji.io
UUID.devices.iru.com		443TCPAllUsed to communicate with Iru via the MDM protocol, and by the Kandji Agent. Domain is unique per Iru tenant
Check the device specific domains for your tenants in Org Name in Lower Left > Organization > Endpoint > Device Domains443TCPAllUsed for MDM Check-In URL and Kandji Agent communication. Domain is unique per Iru tenant
subdomain.web-api.kandji.io
uuid.devices.eu.iru.com		443TCPAllUsed to download MDM Enrollment Profile
subdomain.kandji.io
subdomain.iru.com		443TCPAllUsed to access the Iru web app
subdomain.gateway.kandji.com
subdomain.gateway.iru.com		443TCPAllUsed by Iru web app to access Iru APIs.
*.iot.kandji.io443TCPAllUsed for device telemetry communications
browser-intake-datadoghq.com443TCPAllUsed for release management and platform monitoring
events.launchdarkly.com443TCPAllUsed for release management and platform monitoring
windows-agent.kandji.io443TCPWindowsUsed to install and upgrade the agent on Windows
subdomain.id.iru.com
subdomain.id.connect.iru.com
subdomain.id.devices.iru.com
subdomain.id.gateway.iru.com		443TCPAllAccess point for the Iru Identity API service serving US tenants. Within the Iru web app, it is used universally across all tenants, independent of Iru Workforce Identity licensing
updater.iru.com443TCPAllUsed for Iru Access downloads and updates

Active Directory Certificate Services Network Requirements (US)

For more information about the Active Directory Certificate Services integration, please see the AD CS overview support article.
SourceDestinationDestination domainsPortProtocolDescription
AD CS ConnectorIru tenant{subdomain}.kandji.io
{subdomain}.iru.com		443TCPUsed during initial Connector setup when connecting the AD CS Connector to the customer’s Iru tenant
AD CS ConnectorAuth0*.auth0.com443TCPMultiple subdomains used for the initial WebView authentication to set up the connector, not leveraged for ongoing authentication
AD CS ConnectorAuth0auth.kandji.io
auth.iru.com		443TCPUsed when authenticating the AD CS Connector to the customer’s Iru tenant during initial setup and when initializing WebSocket communications
AD CS ConnectorIru tenant{subdomain}.clients.us-1.kandji.io
{subdomain}.clients.us-1.iru.com		443TCPUsed for API communications between the AD CS Connector and the customer’s Iru tenant
AD CS ConnectorIru ADCS serviceadcsconn.kandji.io
adcsconn.iru.com		443WebSocketUsed to facilitate certificate requests. This connection is only for communications between the Iru AD CS Connector and the customer’s Iru tenant in the context of fulfilling certificate requests
AD CS ConnectorWindows AD CSWindows AD CS CA server(s) in the customer’s environmentRandom port in the 50000 rangeMRPCThe Iru AD CS Connector is used to communicate with Microsoft AD CS CA servers within the customer’s internal network when facilitating certificate requests. Port is randomly defined by the protocol
The UUID preceding .web-api.kandji.io and .web-api.iru.com is unique to every Iru tenant.

Determine Your Organization’s Unique Device Domains

Your unique device domains are used by enrolled devices in order to communicate with Iru via the MDM protocol and the Kandji Agent for macOS. You can view these unique domains by logging into your tenant and following these steps:
1

Navigate to Settings

Click Settings on the left-hand navigation bar.
2

View Device Domains

On the General tab, you will see the Device Domains panel. These two domains are used by devices for MDM and Agent communication.
To determine the specific domain being used by an individual Mac computer, you can run the following command in Terminal: 
system_profiler SPConfigurationProfileDataType | awk -v FS='(https://|/mdm)' '/CheckInURL/ {print $2}'

SSL/TLS Inspection

The Kandji macOS Agent leverages a common best practice of certificate pinning to ensure that it will only communicate with trusted servers and prevent its traffic from being intercepted and inspected (MITM attack prevention). This may pose a challenge if your network or proxy administrator is decrypting all SSL/TLS traffic by default. Please ask your network administrator to exempt the 2 device domains in your tenant from inspection.
Please note that even if you deploy your content filter’s CA as a trusted root CA to your macOS devices, SSL/TLS inspection will still cause the Kandji Agent to not communicate with Iru.

Platform-Specific Network Requirements

  • Apple
  • Windows
  • Android

Apple Required Hosts & Ports

Apple devices require access to various Apple services for proper enrollment and management. For comprehensive Apple network requirements, refer to Apple’s official guide: Configure devices to work with APNs.
Destination HostPortsPurpose
Apple network (17.0.0.0/8)TCP/443Device activation and fallback if devices can’t reach APNs on port 5223
Apple network (17.0.0.0/8)TCP/5223Primary communication with Apple Push Notification service (APNs)
Apple network (17.0.0.0/8)TCP/443 or 2197Send notifications from device management service to APNs

TLS Versions and Cipher Suites

Per Apple’s Platform Security guide, built-in apps and services on macOS, iOS, tvOS, and iPadOS devices will automatically prefer cipher suites with perfect forward secrecy. This is also true in the case where a developer uses a high-level networking API such as CFNetwork. The Kandji agent leverages these high-level networking APIs. We encourage you to read Apple’s Platform Security Guide in order to better understand these features, especially the TLS network security section, which can be found here. As previously mentioned, the domain used for MDM and agent communication is unique to your tenant (UUID.web-api.kandji.io and UUID.web-api.iru.com). You can inspect these domains using a tool such as Qualys SSL Server Test to understand which ciphers are currently supported by Iru.

Supported TLS Protocols

Iru supports the following TLS protocol versions:
  • TLS 1.2 - Yes (server negotiated using No-SNI)
  • TLS 1.1 - Yes
  • TLS 1.0 - Yes (server negotiated using No-SNI)
  • TLS 1.3 - No
  • SSL 3 - No
  • SSL 2 - No

Cipher Suites

TLS 1.2 in server preferred order

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA

TLS 1.1 in server preferred order

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

TLS 1.0 in server preferred order

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA