Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getprimo.com/llms.txt

Use this file to discover all available pages before exploring further.

Primo MDM communicates with managed devices over HTTPS. When devices sit behind a corporate firewall or proxy, the endpoints below must be reachable outbound for enrollment, policy delivery, and push notifications to function.

Primo MDM server

Every Primo account has a dedicated MDM server URL: 
[company slug].mdm.getprimo.com
Managed devices connect to this host for enrollment and to receive MDM commands. Allow outbound TCP 443 to this hostname.

Platform-specific endpoints

Apple MDM relies on the Apple Push Notification service (APNs) to wake devices when a command is pending. Without APNs access, devices do not receive MDM commands in real time.
HostPortsPurpose
*.push.apple.com443, 2197Push notifications (APNs)
albert.apple.com443Device activation
deviceenrollment.apple.com443Automated Device Enrollment (via ABM or ASM)
mdmenrollment.apple.com443MDM enrollment
iprofiles.apple.com443Configuration profile delivery
Older networks that block non-standard HTTPS ports also require TCP 5223 outbound to *.push.apple.com. If you are unsure, allow it.
For a complete and up-to-date list of Apple hosts and ports, see Use Apple products on enterprise networks.

Summary

EndpointPortRequired for
[company slug].mdm.getprimo.com443All platforms
*.push.apple.com443, 2197Apple MDM push notifications
albert.apple.com443Apple device activation
deviceenrollment.apple.com443Apple automated enrollment
mdmenrollment.apple.com443Apple MDM enrollment
iprofiles.apple.com443Apple profile delivery
All connections are outbound HTTPS from managed devices. No inbound firewall rules are required on the device side.

Advanced: specific routes

If you use a reverse proxy or firewall with path-level rules and prefer not to allowlist an entire domain, use the route-level allowlist below.

Devices roaming outside VPN or intranet

To manage devices that travel outside your VPN or intranet, expose only the osquery endpoints: 
/api/osquery/*
/api/v1/osquery/*
RoutePurpose
/mdm/apple/scepDevices obtain a SCEP certificate
/mdm/apple/mdmDevices communicate using the MDM protocol
/api/mdm/apple/enrollDevices fetch an enrollment profile (automated enrollment)
/api/*/fleet/device/*End users access their device page (manual enrollment profile, disk encryption key rotation)
/mdm/sso, /api/*/fleet/mdm/sso, /mdm/sso/callback, /api/*/fleet/mdm/sso/callback, /assets/*End user IdP authentication during out-of-the-box setup (if required)
/api/*/fleet/mdm/setup/eula/*End user EULA agreement during out-of-the-box setup (if required)
/api/*/fleet/mdm/bootstrapBootstrap package installation during out-of-the-box setup (if applicable)
/mdm/apple/scep and /mdm/apple/mdm sit outside the /api path because they implement non-RESTful Apple MDM protocols, not standard API endpoints.

SCEP proxy

If you use Primo as a SCEP proxy: 
/mdm/scep/proxy/*

mTLS

The /api/*/fleet/* routes used by the Primo agent support mutual TLS (mTLS) using the certificate provided during agent packaging. The /mdm/apple/mdm and /api/mdm/apple/enroll endpoints support mTLS using the SCEP certificate issued by the Primo server. The following endpoints do not use mTLS: 
/mdm/apple/scep
/api/mdm/microsoft/discovery
/api/mdm/microsoft/auth
/api/mdm/microsoft/policy
/api/mdm/microsoft/enroll
/api/mdm/microsoft/management
/api/mdm/microsoft/tos
For macOS and Windows, the MDM client sends the client certificate in a request header. The Primo server then verifies this certificate independently.