Created
December 15, 2021 23:06
-
-
Save applch/c0435239f14888b1fc0063a88dd994d7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Use Apple products on enterprise networks | |
| Learn which hosts and ports are required to use your Apple products on enterprise networks. | |
| This article is intended for enterprise and education network administrators. | |
| Apple products require access to the internet hosts in this article for a variety of services. Here's how your devices connect to hosts and work with proxies: | |
| Network connections to the hosts below are initiated by the device, not by hosts operated by Apple. | |
| Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article. | |
| Make sure your Apple devices can access the hosts listed below. | |
| Apple Push Notifications | |
| Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Beginning with macOS 10.15.5, devices can connect to APNs when configured to use the HTTP proxy with a proxy auto-config (PAC) file. | |
| Device setup | |
| Access to the following hosts might be required when setting up your device, or when installing, updating, or restoring the operating system. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| albert.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Device activation Yes | |
| captive.apple.com 443, 80 TCP iOS, iPadOS, tvOS, and macOS Internet connectivity validation for networks that use captive portals Yes | |
| gs.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| humb.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| static.ips.apple.com 443, 80 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| sq-device.apple.com 443 TCP iOS and iPadOS eSIM activation — | |
| tbsc.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| time-ios.apple.com 123 UDP iOS, iPadOS, and tvOS Used by devices to set their date and time — | |
| time.apple.com 123 UDP iOS, iPadOS, tvOS, and macOS Used by devices to set their date and time — | |
| time-macos.apple.com 123 UDP macOS only Used by devices to set their date and time — | |
| Device Management | |
| Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM). | |
| Hosts Ports Protocol OS Description Supports proxies | |
| *.push.apple.com 443, 80, 5223, 2197 TCP iOS, iPadOS, tvOS, and macOS Push notifications Learn more about APNs and proxies. | |
| deviceenrollment.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS DEP provisional enrollment — | |
| deviceservices-external.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS — | |
| gdmf.apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS Used by an MDM server to identify which software updates are available to devices that use managed software updates Yes | |
| identity.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS APNs certificate request portal Yes | |
| iprofiles.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment Yes | |
| mdmenrollment.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts Yes | |
| setup.icloud.com 443 TCP iOS and iPadOS Required to log in with a Managed Apple ID on Shared iPad — | |
| vpp.itunes.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device Yes | |
| Apple School Manager and Apple Business Manager | |
| Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| *.business.apple.com | |
| 443, 80 TCP - Apple Business Manager - | |
| *.school.apple.com 443, 80 TCP - Schoolwork Roster service - | |
| upload.appleschoolcontent.com 22 SSH - SFTP uploads Yes | |
| ws-ee-maidsvc.icloud.com 443, 80 TCP - Schoolwork Roster service - | |
| Apple Business Essentials device management | |
| Network access to the following hosts is required for full functionality of Apple Business Essentials device management. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| axm-adm-enroll.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS DEP enrollment server - | |
| axm-adm-mdm.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS MDM server - | |
| axm-adm-scep.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS SCEP server - | |
| axm-app.apple.com 443 TCP iOS, iPadOS, and macOS Used by Apple Business Essentials to view and manage apps and devices - | |
| Software updates | |
| Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching. | |
| macOS, iOS, iPadOS, watchOS, and tvOS | |
| Network access to the following hostnames is required for installing, restoring, and updating macOS, iOS, iPadOS, watchOS, and tvOS. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| appldnld.apple.com 80 TCP iOS, iPadOS, and watchOS iOS, iPadOS, and watchOS updates — | |
| configuration.apple.com 443 TCP macOS only Rosetta 2 updates — | |
| gdmf.apple.com 443 TCP iOS, iPadOS, tvOS, watchOS, and macOS Software update catalog — | |
| gg.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS iOS, iPadOS, tvOS, watchOS, and macOS updates Yes | |
| gnf-mdn.apple.com 443 TCP macOS only macOS updates Yes | |
| gnf-mr.apple.com 443 TCP macOS only macOS updates Yes | |
| gs.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS iOS, iPadOS, tvOS, watchOS, and macOS updates Yes | |
| ig.apple.com 443 TCP macOS only macOS updates Yes | |
| mesu.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS Hosts software update catalogs — | |
| ns.itunes.apple.com 443 TCP iOS, iPadOS, and watchOS Yes | |
| oscdn.apple.com 443, 80 TCP macOS only macOS Recovery — | |
| osrecovery.apple.com 443, 80 TCP macOS only macOS Recovery — | |
| skl.apple.com 443 TCP macOS only macOS updates — | |
| swcdn.apple.com 80 TCP macOS only macOS updates — | |
| swdist.apple.com 443 TCP macOS only macOS updates — | |
| swdownload.apple.com 443, 80 TCP macOS only macOS updates Yes | |
| swscan.apple.com 443 TCP macOS only macOS updates — | |
| updates-http.cdn-apple.com 80 TCP iOS, iPadOS, tvOS, and macOS Software update downloads — | |
| updates.cdn-apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Software update downloads — | |
| xp.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| App Store | |
| Access to the following hosts might be required for updating apps. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| *.itunes.apple.com 443, 80 TCP iOS, iPadOS, tvOS, and macOS Store content such as apps, books, and music Yes | |
| *.apps.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Store content such as apps, books, and music Yes | |
| *.mzstatic.com 443 TCP iOS, iPadOS, tvOS, and macOS Store content such as apps, books, and music — | |
| itunes.apple.com 443, 80 TCP iOS, iPadOS, tvOS, and macOS Yes | |
| ppq.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Enterprise App validation — | |
| Carrier updates | |
| Cellular devices must be able to connect to the following hosts to install carrier bundle updates. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| appldnld.apple.com 80 TCP iOS and iPadOS Cellular carrier bundle updates — | |
| appldnld.apple.com.edgesuite.net 80 TCP iOS and iPadOS Cellular carrier bundle updates — | |
| itunes.com 80 TCP iOS and iPadOS Carrier bundle update discovery — | |
| itunes.apple.com 443 TCP iOS and iPadOS Carrier bundle update discovery — | |
| updates-http.cdn-apple.com 80 TCP iOS and iPadOS Cellular carrier bundle updates — | |
| updates.cdn-apple.com 443 TCP iOS and iPadOS Cellular carrier bundle updates — | |
| Content caching | |
| A Mac that provides content caching must be able to connect to the following hosts, as well as the hosts listed in this document that provide Apple content such as software updates, apps, and additional content. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| lcdn-registration.apple.com 443 TCP macOS only Server registration Yes | |
| suconfig.apple.com 80 TCP macOS only | |
| Configuration — | |
| xp-cdn.apple.com 443 TCP macOS only Reporting Yes | |
| Clients of macOS content caching must be able to connect to the following hosts. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| lcdn-locator.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Content caching locator service — | |
| serverstatus.apple.com | |
| 443 TCP macOS only Content caching client public IP determination — | |
| Apple Developer | |
| Access to the following hosts is required for app notarization and app validation. | |
| App notarization | |
| Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| 17.248.128.0/18 443 TCP macOS only Ticket delivery — | |
| 17.250.64.0/18 443 TCP macOS only Ticket delivery — | |
| 17.248.192.0/19 443 TCP macOS only Ticket delivery — | |
| App validation | |
| Hosts Ports Protocol OS Description Supports proxies | |
| *.appattest.apple.com 443 TCP iOS, iPadOS, and macOS App validation, Touch ID and Face ID authentication for websites - | |
| Feedback Assistant | |
| Feedback Assistant is an app used by developers and members of the beta software programs to report feedback to Apple. It uses the following hosts: | |
| Hosts Port Protocol OS Description Supports proxies | |
| bpapi.apple.com 443 TCP tvOS only Provides beta software updates Yes | |
| cssubmissions.apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS Used by Feedback Assistant to upload files | |
| Yes | |
| fba.apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS | |
| Used by Feedback Assistant to file and view feedback | |
| Yes | |
| Apple diagnostics | |
| Apple devices might access the following host in order to perform diagnostics used to detect a possible hardware issue. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| diagassets.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Used by Apple devices to help detect possible hardware issues Yes | |
| Domain Name System resolution | |
| In order to use encrypted Domain Name System (DNS) resolution in iOS 14, tvOS 14, and macOS Big Sur, the following host will be contacted. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| doh.dns.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Used for DNS over HTTPS (DoH) Yes | |
| Certificate validation | |
| Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts in this article. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| certs.apple.com 80, 443 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| crl.apple.com 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| crl.entrust.net 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| crl3.digicert.com 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| crl4.digicert.com 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| ocsp.apple.com 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| ocsp.digicert.cn 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation in China — | |
| ocsp.digicert.com 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| ocsp.entrust.net 80 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| ocsp2.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Certificate validation — | |
| valid.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Certificate validation Yes | |
| Apple ID | |
| Apple devices must be able to connect to the following hosts in order to authenticate an Apple ID. This is required for all services that use an Apple ID, such as iCloud, app installation, and Xcode. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| appleid.apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS | |
| Apple ID authentication in Settings and System Preferences | |
| Yes | |
| appleid.cdn-apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS | |
| Apple ID authentication in Settings and System Preferences | |
| Yes | |
| idmsa.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Apple ID authentication Yes | |
| gsa.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Apple ID authentication Yes | |
| iCloud | |
| In addition to the Apple ID hosts listed above, Apple devices must be able to connect to hosts in the following domains to use iCloud services. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| *.apple-cloudkit.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.apple-livephotoskit.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.apzones.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services in China — | |
| *.cdn-apple.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.gc.apple.com | |
| 443 TCP iOS, iPadOS, tvOS, and macOS | |
| iCloud services | |
| — | |
| *.icloud.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.icloud.com.cn | |
| 443 TCP iOS, iPadOS, tvOS, and macOS | |
| iCloud services in China | |
| — | |
| *.icloud.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.icloud-content.com 443 TCP iOS, iPadOS, tvOS, and macOS iCloud services — | |
| *.iwork.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS iWork documents — | |
| mask.icloud.com 443 UDP iOS, iPadOS, macOS iCloud Private Relay No | |
| mask-h2.icloud.com 443 TCP iOS, iPadOS, macOS iCloud Private Relay No | |
| mask-api.icloud.com 443 TCP iOS, iPadOS, macOS iCloud Private Relay Yes | |
| Additional content | |
| Apple devices must be able to connect to the following hosts to download additional content. Some additional content might also be hosted on third-party content distribution networks. | |
| Hosts Ports Protocol OS Description Supports proxies | |
| audiocontentdownload.apple.com 80, 443 TCP iOS, iPadOS, and macOS GarageBand downloadable content — | |
| devimages-cdn.apple.com | |
| 80, 443 TCP macOS only Xcode downloadable components — | |
| download.developer.apple.com 80, 443 TCP macOS only Xcode downloadable components — | |
| playgrounds-assets-cdn.apple.com 443 TCP iPadOS and macOS Swift Playgrounds — | |
| playgrounds-cdn.apple.com 443 TCP iPadOS and macOS Swift Playgrounds — | |
| sylvan.apple.com | |
| 80, 443 TCP tvOS only | |
| Apple TV screen savers | |
| — | |
| Firewalls | |
| If your firewall supports using hostnames, you might be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple. | |
| HTTP proxy | |
| You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy. | |
| Content Distribution Networks and DNS Resolution | |
| Some of the hosts listed in this article may have CNAME records in DNS instead of A or AAAA records. These CNAME records may refer to other CNAME records in a chain before ultimately resolving to an IP address. This DNS resolution allows Apple to provide fast and reliable content delivery to users in all regions and is transparent to devices and proxy servers. Apple doesn't publish a list of these CNAME records because they are subject to change. You shouldn't need to configure your firewall or proxy server to allow them as long as you don't block DNS lookups and allow access to the hosts and domains named above. | |
| Learn more | |
| See a list of TCP and UDP ports used by Apple software products. | |
| Find out which ports are used by Profile Manager in macOS Server. | |
| Learn about macOS, iOS, and iTunes server host connections and iTunes background processes. | |
| Customize the Notarization Workflow. | |
| Published Date: December 14, 2021 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment