Microsoft Intune 网络终结点Network endpoints for Microsoft Intune

此页列出了 Intune 部署中代理设置所需的 IP 地址和端口设置。This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.

作为仅限云的服务,Intune 不需要诸如服务器或网关的本地基础结构。As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

受管理设备的访问权限Access for managed devices

若要管理防火墙和代理服务器后面的设备,必须启用 Intune 的通信。To manage devices behind firewalls and proxy servers, you must enable communication for Intune.


本节中的信息也适用于 Microsoft Intune 证书连接器。The information in section also applies to the Microsoft Intune Certificate Connector. 连接器的网络要求与托管设备相同。The connector has the same network requirements as managed devices.

  • 由于 Intune 客户端使用 HTTP (80)HTTPS (443) ,因此代理服务器必须支持这两种协议。The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows 信息保护使用端口 444。Windows Information Protection uses port 444.
  • 对于某些任务(例如下载经典电脑代理的软件更新),Intune 需要对 的未经身份验证的代理服务器访问权限For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to

可以修改单个客户端计算机上的代理服务器设置。You can modify proxy server settings on individual client computers. 还可以使用“组策略”设置来更改位于指定代理服务器后面的所有客户端计算机的设置。You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

托管的设备需要允许“所有用户”通过防火墙访问服务的配置。Managed devices require configurations that let All Users access services through firewalls.

下表列出了 Intune 客户端访问的端口和服务:The following tables list the ports and services that the Intune client accesses:

Domains IP 地址IP address
详细信息 Office 365 URL 和 IP 地址范围More information Office 365 URLs and IP address ranges

PowerShell 脚本和 Win32 应用的网络要求Network requirements for PowerShell scripts and Win32 apps

如果使用 Intune 部署 PowerShell 脚本或 Win32 应用,还需要授予对租户当前所在的终结点的访问权限。If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

若要查找租户位置(或 Azure 缩放单位 (ASU)),请登录 Microsoft Endpoint Manager 管理中心,选择“租户管理” > “租户详细信息” 。To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Endpoint Manager admin center, choose Tenant administration > Tenant details. 该位置位于“租户位置”下,例如“北美 0501”或“欧洲 0202”。The location is under Tenant location as something like North America 0501 or Europe 0202. 在下表中查找匹配的数字。Look for the matching number in the following table. 该行会告诉你要向其授予访问权限的存储名称和 CDN 终结点。That row will tell you which storage name and CDN endpoints to grant access to. 行由地理区域进行区分,如名称中的前两个字母(na = 北美,eu = 欧洲,ap = 亚太)所示。The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). 尽管你的组织的实际地理位置可能在其他地方,但租户位置将是这三个区域之一。Your tenant location will be one of these three regions although your organization’s actual geographic location might be elsewhere.

Azure 缩放单元 (ASU)Azure Scale Unit (ASU) 存储名称Storage name CDNCDN

Windows 推送通知服务 (WNS)Windows Push Notification Services (WNS)

对于使用移动设备管理 (MDM) 管理的由 Intune 管理的 Windows 设备,设备操作和其他即时活动需要使用 Windows 推送通知服务 (WNS)。For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). 有关详细信息,请参阅允许 Windows 通知流量通过企业防火墙For more information, see Allowing Windows Notification traffic through enterprise firewalls.

传递优化端口要求Delivery Optimization port requirements

端口要求Port requirements

对于对等流量,传递优化将 7680 用于 TCP/IP,或将 3544 用于 NAT 遍历(也可以是 Teredo)。For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). 对于客户端-服务通信,它通过端口 80/443 使用 HTTP 或 HTTPS。For client-service communication, it uses HTTP or HTTPS over port 80/443.

代理要求Proxy requirements

若要使用传递优化,必须允许“字节范围”请求。To use Delivery Optimization, you must allow Byte Range requests. 有关详细信息,请参阅 Windows 更新的代理要求For more information, see Proxy requirements for Windows Update.

防火墙要求Firewall requirements

允许下列主机名通过防火墙,以支持传递优化。Allow the following hostnames through your firewall to support Delivery Optimization. 对于客户端与传递优化云服务之间的通信:For communication between clients and the Delivery Optimization cloud service:

  • **

对于传递优化元数据:For Delivery Optimization metadata:

  • **
  • **

Apple 设备网络信息Apple device network information

用途Used for 主机名(IP 地址/子网)Hostname (IP address/subnet) 协议Protocol PortPort
检索并显示 Apple 服务器的内容Retrieving and displaying content from Apple servers
与 APNS 服务器之间的通信Communications with APNS servers
“#”是 0 到 50 范围内的一个随机数字。'#' is a random number from 0 to 50.
TCPTCP 5223 和 4435223 and 443
各种功能,包括访问万维网、iTunes 商店、macOS 应用商店、iCloud、消息等。Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc.
HTTP/HTTPSHTTP/HTTPS 80 或 44380 or 443

有关详细信息,请参阅 Apple 的 Apple 软件产品使用的 TCP 和 UDP 端口关于 macOS、iOS/iPadOS 和 iTunes 服务器主机连接和 iTunes 后台进程,以及如果你的 macOS 和 iOS/iPadOS 客户端不获取 Apple 推送通知For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients aren't getting Apple push notifications.

Android 端口信息Android port information

根据选择的 Android 设备管理方式,你可能需要打开 Google Android Enterprise 端口和/或 Android 推送通知。Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. 有关支持的 Android 管理方法的更多信息,请参阅 Android 注册文档For more information on Android management methods supported, see the Android enrollment documentation.


由于 Google 移动服务在中国不可用,因此在中国由 Intune 管理的设备无法使用需要 Google 移动服务的功能。Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. 这些功能包括:Google Play 保护机制功能,如 SafetyNet 设备证明、管理 Google Play 商店的应用、Android Enterprise 功能(请参阅 Google 文档)。These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). 此外,Android 版 Intune 公司门户应用使用 Google 移动服务与 Microsoft Intune 服务进行通信。Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. 由于 Google Play 服务在中国不可用,因此某些任务最长可能需要 8 小时才能完成。Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. 有关详细信息,请参阅此文章For more information, see this article.

Google Android EnterpriseGoogle Android Enterprise

Google 针对其 Android Enterprise 蓝皮书的“防火墙”部分中所述的所需网络端口和目标主机名提供了相关文档。Google provides documentation of required network ports and destination host names in their Android Enterprise Bluebook, under the Firewall section of that document.

Android 推送通知Android push notification

Intune 利用 Google Firebase 云消息传递 (FCM),让推送通知来触发设备操作和签入。Android 设备管理员和 Android Enterprise 都要求采用这种机制。Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-ins. This is required by both Android Device Administrator and Android Enterprise. 有关 FCM 网络要求的信息,请参阅 Google 的 FCM 端口和防火墙For information on FCM network requirements, see Google's FCM ports and your firewall.

终结点分析Endpoint analytics

有关终结点分析所需终结点的详细信息,请参阅终结点分析代理配置For more information on the required endpoints for endpoint analytics, see Endpoint analytics proxy configuration.