I know that in order to use Profile Manager's MDM service I need to open ports 2195, 2196, 5223. From documentation I can check which IP Addresses are used when using Apple Push Notification Service:
The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.
This is for APNS, though. Are there any additional IP Addresses that Apple uses when running MDM service (Profile Manager, Enrollment, Device Management) that I might have missed?
Apple has mentioned the address block(17.0.0.0/8) used for push service in order to create Inbound/Outbound rules for the entire address block in Firewall, if needed. You should use hostname to set rules, because Hostname is a static entity whereas IP for push service can change dynamically.
But the Network address used by MDM service differs based on MDM server you are leveraging. If you are using Airwatch, their IP address block could be different. You can always use their hostname to setup filtering rules.
Since you have mentioned you are using Profile manager, look at this document.
To use Profile Manager as a mobile device management (MDM) service, OS X Server should have a static Internet network address, and a fully qualified domain name, and it cannot be on an isolated network.
The network address is Static IP Address of the OSX server.