Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page lists the China endpoints needed for proxy settings in your Intune deployments.
To manage devices behind firewalls and proxy servers, you must enable communication for Intune.
- The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
- For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
For more information about Windows auto-enrollment and device registration for U.S. customers, see Windows auto enrollment and device registration .
The following tables list the ports and services that the Intune client accesses:
| Endpoint | IP address |
|---|---|
| *.manage.microsoftonline.cn | 40.73.38.143 139.217.97.81 52.130.80.24 40.73.41.162 40.73.58.153 139.217.95.85 143.64.196.128/25 40.162.2.128/25 139.219.250.128/25 163.228.221.128/25 |
Intune customer designated endpoints in China
- Azure portal:
https:\//portal.azure.cn/ - Microsoft 365:
https:\//portal.partner.microsoftonline.cn/ - Intune Company Portal:
https:\//portal.manage.microsoftonline.cn/ - Microsoft Intune admin center:
https:\//intune.microsoftonline.cn/
Network requirements for PowerShell scripts and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you also need to grant access to endpoints in which your tenant currently resides.
| Azure Scale Unit (ASU) | Storage name | CDN |
|---|---|---|
| CNPASU01 | sovereignprodimedatapri sovereignprodimedatasec sovereignprodimedatahotfix |
imeswdsc-afd-pri.manage.microsoft.com imeswdsc-afd-sec.manage.microsoft.com imeswdsc-afd-hotfix.manage.microsoft.com |
Network requirements for macOS app and script deployments
If you're using Intune to deploy apps or scripts on macOS, you also need to grant access to endpoints in which your tenant currently resides.
| Azure Scale Unit (ASU) | Storage Name | CDN |
|---|---|---|
| CNPASU01 | macsidecarap macsidecarprodap |
macsidecarap.manage.microsoft.com |
Partner service endpoints
Intune operated by 21Vianet depends on the following partner service endpoints:
- Azure AD Sync service: https://syncservice.partner.microsoftonline.cn/DirectoryService.svc
- Evo STS: https://login.chinacloudapi.cn/
- Azure AD Graph: https://graph.chinacloudapi.us
- MS Graph: https://microsoftgraph.chinacloudapi.cn
- ADRS: https://enterpriseregistration.partner.microsoftonline.cn
Windows Push Notification Services
On Intune-managed devices managed by using Mobile Device Management (MDM), Windows Push Notification Services (WNS) is required for device actions and other immediate activities. For more information, see Enterprise Firewall and Proxy Configurations to Support WNS Traffic
Apple dependencies
For information about Apple specific endpoints, see the following resources:
- Use Apple products on enterprise networks
- TCP and UDP ports used by Apple software products
- About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes
- If your macOS and iOS/iPadOS clients aren't getting Apple push notifications