Prerequisite & Connectivity Scan

System Time Not Synchronized

Ensure the system clock is synchronized with a time server (NTP).

Recommended (chrony):

sudo dnf install -y chrony   # or: sudo yum install -y chrony
sudo systemctl enable --now chronyd
sudo systemctl status chronyd
chronyc tracking

Verification: After running chronyc tracking, check that "Leap status" is "Normal" and "Last offset" is close to zero. This confirms your system clock is synchronized.

Alternate (ntpd):

sudo dnf install -y ntp      # or: sudo yum install -y ntp
sudo systemctl enable --now ntpd
sudo systemctl status ntpd
ntpq -p

Verification (ntpd): After running ntpq -p, ensure the remote NTP servers are listed and the reach/offset values indicate successful synchronization. The systemctl status ntpd command should show the service as active (running).
If using a corporate NTP server, update /etc/chrony.conf or /etc/ntp.conf accordingly.

Insufficient Disk Space

Ensure at least 32 GB of free disk space (64 GB recommended).
Check disk space:
```
df -h /
du -sh /var/*
```
Clean up unused files, clear package cache:
Warning: Before running the following commands, ensure a backup or snapshot of your system is available in case you need to restore any removed data.
```
sudo dnf clean all   # or: sudo yum clean all
sudo rm -rf /var/cache/dnf  # or: sudo rm -rf /var/cache/yum
```
Expand disk or move data to another partition if needed.

Insufficient Memory

Ensure at least 8 GB RAM (16 GB recommended).
Check memory:
```
free -h
```
Stop unnecessary services or applications.

Add swap space if needed:

sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Upgrade system memory if possible.

Insufficient CPU Cores

Ensure at least 4 CPU cores (8 recommended).
Check CPU:
```
nproc
lscpu
```
Allocate more vCPUs (if VM) or upgrade hardware if needed.

Port 443 (HTTPS) Not Open

Ensure port 443 is open for secure HTTPS traffic.
Check if port 443 is listening:
```
sudo ss -tuln | grep ':443'
sudo netstat -tuln | grep ':443'
```

Check firewall rules:

sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --reload

If SELinux is enabled:

sudo semanage port -l | grep 443
sudo semanage port -a -t http_port_t -p tcp 443

Port 5671 (AMQP over TLS) Not Open

Ensure port 5671 is open for AMQP messaging over TLS.
Check if port 5671 is listening:
```
sudo ss -tuln | grep ':5671'
sudo netstat -tuln | grep ':5671'
```

Check firewall rules:

sudo firewall-cmd --zone=public --add-port=5671/tcp --permanent
sudo firewall-cmd --reload

If SELinux is enabled:

sudo semanage port -l | grep 5671
sudo semanage port -a -t amqp_port_t -p tcp 5671

Port 8443 (MCM HTTPS) Not Open

Ensure port 8443 is open for Mobile Client Management over HTTPS.
Check if port 8443 is listening:
```
sudo ss -tuln | grep ':8443'
sudo netstat -tuln | grep ':8443'
```

Check firewall rules:

sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
sudo firewall-cmd --reload

If SELinux is enabled:

sudo semanage port -l | grep 8443
sudo semanage port -a -t http_port_t -p tcp 8443

Port 52311 (BigFix UDP) Not Open

Ensure UDP port 52311 is open for BigFix communication.
Check if port 52311 is listening:
```
sudo ss -uln | grep ':52311'
sudo netstat -uln | grep ':52311'
```

Check firewall rules:

sudo firewall-cmd --zone=public --add-port=52311/udp --permanent
sudo firewall-cmd --reload

If SELinux is enabled:
```
sudo semanage port -l | grep 52311
sudo semanage port -a -t bigfix_port_t -p udp 52311
```
Note: The following applies to all outbound access check sections — not all URLs will expose APIs. Some endpoints may return HTTP 404 Not Found, which still confirms that network connectivity is working.

Apple Outbound Connectivity Checks

Checks outbound connectivity to Apple services required for Apple MDM functionality.

Apple Push Notification API (api.push.apple.com)
Apple MDM Enrollment Service (mdmenrollment.apple.com)
Apple VPP Service (vpp.itunes.apple.com)
Apple Device Service (deviceenrollment.apple.com)

How to test connectivity (from RHEL):

curl -v https://api.push.apple.com
curl -v https://mdmenrollment.apple.com
curl -v https://vpp.itunes.apple.com
curl -v https://deviceenrollment.apple.com

Ensure outbound HTTPS access is allowed to these endpoints.
Check firewall, proxy, or DNS settings if any are blocked.

Windows Outbound Access Scan

Checks outbound connectivity to Microsoft services required for Windows MDM functionality.

Windows Notification Service (*.notify.windows.com)
Windows Notification Service for clients (*.wns.windows.com)
Microsoft Identity Service (login.microsoftonline.com)
Microsoft Live Service (login.live.com)

How to test connectivity (from RHEL):

curl -v https://bn1.notify.windows.com
curl -v https://bn2.wns.windows.com
curl -v https://login.microsoftonline.com
curl -v https://login.live.com

Ensure outbound HTTPS access is allowed to these endpoints.
Check firewall, proxy, or DNS settings if any are blocked.

Android Outbound Connectivity Scan

Checks outbound connectivity to Google APIs required for Android MDM functionality.

Cloud Resource Manager API (cloudresourcemanager.googleapis.com)
OAuth API (oauth2.googleapis.com)
Android Management API (androidmanagement.googleapis.com)
Identity and Access Management API (iam.googleapis.com)
Pub/Sub API (pubsub.googleapis.com)

How to test connectivity (from RHEL)

curl -v https://api.push.apple.com
curl -v https://mdmenrollment.apple.com
curl -v https://vpp.itunes.apple.com
curl -v https://deviceenrollment.apple.com

Ensure outbound HTTPS access is allowed to these endpoints.
Check firewall, proxy, or DNS settings if any are blocked.