Intune network configuration requirements and bandwidth

This guidance helps Intune admins understand the network requirements for the Intune service. You can use this information to understand bandwidth requirements and IP address and port settings needed for proxy settings.

Average network traffic

This table lists the approximate size and frequency of common content that travels across the network for each client.

Note

To ensure devices receive the updates and content from Intune, they must periodically connect to the Internet. The time required to receive updates or content can vary, but they should remain continuously connected to the Internet for at least one hour each day.

Content type Approximate size Frequency and details
Intune client installation

The following requirements are in addition to the Intune client installation
125 MB One time

The size of the client download varies depending on the operating system of the client computer.
Client enrollment package 15 MB One time

Additional downloads are possible when there are updates for this content type.
Endpoint Protection agent 65 MB One time

Additional downloads are possible when there are updates for this content type.
Operations Manager agent 11 MB One time

Additional downloads are possible when there are updates for this content type.
Policy agent 3 MB One time

Additional downloads are possible when there are updates for this content type.
Remote Assistance via Microsoft Easy Assist agent 6 MB One time

Additional downloads are possible when there are updates for this content type.
Daily client operations 6 MB Daily

The Intune client regularly communicates with the Intune service to check for updates and policies, and to report the client’s status to the service.
Endpoint Protection malware definition updates Varies

Typically 40 KB to 2 MB
Daily

Up to three times a day.
Endpoint Protection engine update 5 MB Monthly
Software updates Varies

The size depends on the updates you deploy.
Monthly

Typically, software updates release on the second Tuesday of each month.

A newly enrolled or deployed computer can use more network bandwidth while downloading the full set of previously released updates.
Service packs Varies

The size varies for each service pack you deploy.
Varies

Depends on when you deploy service packs.
Software distribution Varies

The size depends on the software you deploy.
Varies

Depends on when you deploy software.

Ways to reduce network bandwidth use

You can use one or more of the following methods to reduce network bandwidth use for Intune clients.

Use a proxy server to cache content requests

A proxy server can cache content to reduce duplicate downloads and reduce network bandwidth from content from the Internet.

A caching proxy server that receives content requests from clients can retrieve that content and cache both web responses and downloads. The server uses cached data to answer subsequent requests from clients.

The following are typical settings to use for a proxy server that caches content for Intune clients.

Setting Recommended value Details
Cache size 5 GB to 30 GB The value varies based on the number of client computers in your network and the configurations you use. To prevent files from being deleted too soon, adjust the size of the cache for your environment.
Individual cache file size 950 MB This setting might not be available in all caching proxy servers.
Object types to cache HTTP

HTTPS

BITS
Intune packages are CAB files retrieved by Background Intelligent Transfer Service (BITS) download over HTTP.

Note

If you use a proxy server to cache content requests, communication is only encrypted between the client and the proxy and from the proxy to Intune. The connection from the client to Intune will not be encrypted end-to-end.

For information about using a proxy server to cache content, see the documentation for your proxy server solution.

Use Background Intelligent Transfer Service (BITS) on computers

During hours that you configure, you can use BITS on a Windows computer to reduce the network bandwidth. You can configure BITS policy on the Network bandwidth page of the Intune Agent policy.

Note

For MDM management on Windows, only the OS’s management interface for the MobileMSI app type uses BITS to download. AppX/MsiX use their own non-BITS download stack and Win32 apps via the Intune agent use Delivery Optimization rather than BITS.

To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet Library.

Use BranchCache on computers

Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems support BranchCache:

  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows 10

To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed cache mode.

When the Intune client is installed on computers, BranchCache and distributed cache mode are enabled by default. However, if Group Policy has disabled BranchCache, Intune doesn't override that policy and BranchCache remains disabled.

If you use BranchCache, work with other administrators in your organization to manage Group Policy and Intune Firewall policy. Ensure they don't deploy policy that disables BranchCache or Firewall exceptions. For more about BranchCache, see BranchCache Overview.

Network communication requirements

Enable network communications between the devices you manage and the endpoints required for cloud-based services.

As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

  • The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
  • For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to manage.microsoft.com

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

The following tables list the ports and services that the Intune client accesses:

Domains IP address
login.microsoftonline.com More information Office 365 URLs and IP address ranges
portal.manage.microsoft.com
m.manage.microsoft.com
52.175.12.209
20.188.107.228
52.138.193.149
51.144.161.187
52.160.70.20
52.168.54.64
sts.manage.microsoft.com 13.93.223.241
52.170.32.182
52.164.224.159
52.174.178.4
13.75.122.143
52.163.120.84
Manage.microsoft.com
i.manage.microsoft.com
r.manage.microsoft.com
a.manage.microsoft.com
p.manage.microsoft.com
EnterpriseEnrollment.manage.microsoft.com
EnterpriseEnrollment-s.manage.microsoft.com
40.83.123.72
13.76.177.110
52.169.9.87
52.174.26.23
104.40.82.191
13.82.96.212
fei.msua01.manage.microsoft.com
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com
fei.msua02.manage.microsoft.com
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com
fei.msua04.manage.microsoft.com
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
fei.msua05.manage.microsoft.com
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com
fei.amsua0502.manage.microsoft.com
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com
fei.msua06.manage.microsoft.com
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com
fei.amsua0602.manage.microsoft.com
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com
fei.amsua0202.manage.microsoft.com
portal.fei.amsua0202.manage.microsoft.com
m.fei.amsua0202.manage.microsoft.com
fei.amsua0402.manage.microsoft.com
portal.fei.amsua0402.manage.microsoft.com
m.fei.amsua0402.manage.microsoft.com
52.160.70.20
52.168.54.64
fei.msub01.manage.microsoft.com
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com
fei.amsub0102.manage.microsoft.com
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com
fei.msub02.manage.microsoft.com
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
fei.msub03.manage.microsoft.com
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com
fei.msub05.manage.microsoft.com
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com
fei.amsub0202.manage.microsoft.com
portal.fei.amsub0202.manage.microsoft.com
m.fei.amsub0202.manage.microsoft.com
fei.amsub0302.manage.microsoft.com
portal.fei.amsub0302.manage.microsoft.com
m.fei.amsub0302.manage.microsoft.com
52.138.193.149
51.144.161.187
fei.msuc01.manage.microsoft.com
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com
fei.msuc02.manage.microsoft.com
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com
fei.msuc03.manage.microsoft.com
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com
fei.msuc05.manage.microsoft.com
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com
52.175.12.209
20.188.107.228
fef.msua01.manage.microsoft.com 138.91.243.97
fef.msua02.manage.microsoft.com 52.177.194.236
fef.msua04.manage.microsoft.com 23.96.112.28
fef.msua05.manage.microsoft.com 138.91.244.151
fef.msua06.manage.microsoft.com 13.78.185.97
fef.msua07.manage.microsoft.com 52.175.208.218
fef.msub01.manage.microsoft.com 137.135.128.214
fef.msub02.manage.microsoft.com 137.135.130.29
fef.msub03.manage.microsoft.com 52.169.82.238
fef.msub05.manage.microsoft.com 23.97.166.52
fef.msuc01.manage.microsoft.com 52.230.19.86
fef.msuc02.manage.microsoft.com 23.98.66.118
fef.msuc03.manage.microsoft.com 23.101.0.100
fef.msuc05.manage.microsoft.com 52.230.16.180
fef.amsua0202.manage.microsoft.com 52.165.165.17
fef.amsua0402.manage.microsoft.com 40.69.157.122
fef.amsua0502.manage.microsoft.com 13.85.68.142
fef.amsua0602.manage.microsoft.com 52.161.28.64
fef.amsub0102.manage.microsoft.com 40.118.98.207
fef.amsub0202.manage.microsoft.com 40.69.208.122
fef.amsub0302.manage.microsoft.com 13.74.145.65
enterpriseregistration.windows.net 52.175.211.189
Admin.manage.microsoft.com 52.224.221.227
52.161.162.117
52.178.44.195
52.138.206.56
52.230.21.208
13.75.125.10
wip.mam.manage.microsoft.com 52.187.76.84
13.76.5.121
52.165.160.237
40.86.82.163
52.233.168.142
168.63.101.57
mam.manage.microsoft.com 104.40.69.125
13.90.192.78
40.85.174.177
40.85.77.31
137.116.229.43
52.163.215.232
52.174.102.180

Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Receiving Push notifications from Intune service via Apple Push Notification Service (APNS). See Apple’s documentation here gateway.push.apple.com (17.0.0.0/8) TCP 2195
Sending feedback to Intune service via Apple Push Notification Service (APNS) feedback.push.apple.com(17.0.0.0/8) TCP 2196
Retrieving and displaying content from Apple servers itunes.apple.com
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-apple.com.akadns.net
HTTP 80
Communications with APNS servers #-courier.push.apple.com (17.0.0.0/8)
'#' is a random number from 0 to 50.
TCP 5223 and 443
Various functionality including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc. phobos.apple.com
ocsp.apple.com
ax.itunes.apple.com
ax.itunes.apple.com.edgesuite.net
HTTP/HTTPS 80 or 443

For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS clients aren't getting Apple push notifications.