Symantec Endpoint Protection (SEP) for MAC installation fails or not able to enable "System Extensions" on dark network clients or if required hosts and ports are not accessible.(On-premises package)
Mac in dark network or connection fails due to WSS, HTTPS Interception (SSL Inspection), HTTPS traffic traverses a web proxy.
Apple products require access to the internet hosts in this article for a variety of services. While SEP installation MAC OS attempting to activate "System Extension" and validate certificates.
Here's how your devices connect to hosts and work with proxies:
Make sure your Apple devices can access the hosts listed below, to start with check the " ocsp.apple.com, ocsp.digicert.cn, ocsp.digicert.com, ocsp.entrust.net and ocsp2.apple.com " access from the machine in question.
Apple devices must be able to connect to the following hosts to validate the digital certificates used by the hosts in this article.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
certs.apple.com | 80, 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl3.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl4.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.digicert.cn | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation in China | — |
ocsp.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp2.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
valid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | Yes |
Apple devices must be able to connect to the following hosts in order to authenticate an Apple ID. This is required for all services that use an Apple ID, such as iCloud, app installation, and Xcode.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appleid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
appleid.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
idmsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
gsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
Access to the following hosts might be required when setting up your device, or when installing, updating, or restoring the operating system.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
albert.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Device activation | Yes |
captive.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Internet connectivity validation for networks that use captive portals | Yes |
gs.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
humb.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
static.ips.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
sq-device.apple.com | 443 | TCP | iOS and iPadOS | eSIM activation | — |
tbsc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
time-ios.apple.com | 123 | UDP | iOS, iPadOS, and tvOS | Used by devices to set their date and time | — |
time.apple.com | 123 | UDP | iOS, iPadOS, tvOS, and macOS | Used by devices to set their date and time | — |
time-macos.apple.com | 123 | UDP | macOS only | Used by devices to set their date and time | — |
Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM).
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.push.apple.com | 443, 80, 5223, 2197 | TCP | iOS, iPadOS, tvOS, and macOS | Push notifications | Learn more about APNs and proxies. |
deviceenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP provisional enrollment | — |
deviceservices-external.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | — | |
gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by an MDM server to identify which software updates are available to devices that use managed software updates | Yes |
identity.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | APNs certificate request portal | Yes |
iprofiles.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment | Yes |
mdmenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts | Yes |
setup.icloud.com | 443 | TCP | iOS and iPadOS | Required to log in with a Managed Apple ID on Shared iPad | — |
vpp.itunes.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device | Yes |
Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
*.business.apple.com | 443, 80 | TCP | - | Apple Business Manager | — |
*.school.apple.com | 443, 80 | TCP | - | Schoolwork Roster service | — |
upload.appleschoolcontent.com | 22 | SSH | - | SFTP uploads | Yes |
ws-ee-maidsvc.icloud.com | 443, 80 | TCP | - | Schoolwork Roster service | — |
Network access to the following hosts is required for full functionality of Apple Business Essentials device management.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
axm-adm-enroll.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP enrollment server | — |
axm-adm-mdm.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM server | — |
axm-adm-scep.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | SCEP server | — |
axm-app.apple.com | 443 | TCP | iOS, iPadOS, and macOS | Used by Apple Business Essentials to view and manage apps and devices | — |
Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.
Network access to the following hostnames is required for installing, restoring, and updating macOS, iOS, iPadOS, watchOS, and tvOS.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appldnld.apple.com | 80 | TCP | iOS, iPadOS, and watchOS | iOS, iPadOS, and watchOS updates | — |
configuration.apple.com | 443 | TCP | macOS only | Rosetta 2 updates | — |
gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | Software update catalog | — |
gg.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | iOS, iPadOS, tvOS, watchOS, and macOS updates | Yes |
gnf-mdn.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
gnf-mr.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
gs.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | iOS, iPadOS, tvOS, watchOS, and macOS updates | Yes |
ig.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
mesu.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | Hosts software update catalogs | — |
ns.itunes.apple.com | 443 | TCP | iOS, iPadOS, and watchOS | Yes | |
oscdn.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
osrecovery.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
skl.apple.com | 443 | TCP | macOS only | macOS updates | — |
swcdn.apple.com | 80 | TCP | macOS only | macOS updates | — |
swdist.apple.com | 443 | TCP | macOS only | macOS updates | — |
swdownload.apple.com | 443, 80 | TCP | macOS only | macOS updates | Yes |
swscan.apple.com | 443 | TCP | macOS only | macOS updates | — |
updates-http.cdn-apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
updates.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
xp.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes |
App Store
Access to the following hosts might be required for updating apps.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
*.apps.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
*.mzstatic.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | — |
itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
ppq.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Enterprise App validation | — |
Cellular devices must be able to connect to the following hosts to install carrier bundle updates.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appldnld.apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
appldnld.apple.com.edgesuite.net | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
itunes.com | 80 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
itunes.apple.com | 443 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
updates-http.cdn-apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
updates.cdn-apple.com | 443 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
A Mac that provides content caching must be able to connect to the following hosts, as well as the hosts listed in this document that provide Apple content such as software updates, apps, and additional content.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
lcdn-registration.apple.com | 443 | TCP | macOS only | Server registration | Yes |
suconfig.apple.com | 80 | TCP | macOS only |
Configuration | — |
xp-cdn.apple.com | 443 | TCP | macOS only | Reporting | Yes |
Clients of macOS content caching must be able to connect to the following hosts.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
lcdn-locator.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Content caching locator service | — |
serverstatus.apple.com | 443 | TCP | macOS only | Content caching client public IP determination | — |
Access to the following hosts is required for app notarization and app validation.
App notarization
Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
17.248.128.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
17.250.64.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
17.248.192.0/19 | 443 | TCP | macOS only | Ticket delivery | — |
Hosts | Ports | Protocol | OS | Description | Supports proxies |
*.appattest.apple.com | 443 | TCP | iOS, iPadOS, and macOS | App validation, Touch ID and Face ID authentication for websites | — |
Feedback Assistant is an app used by developers and members of the beta software programs to report feedback to Apple. It uses the following hosts:
Hosts | Port | Protocol | OS | Description | Supports proxies |
bpapi.apple.com | 443 | TCP | tvOS only | Provides beta software updates | Yes |
cssubmissions.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Feedback Assistant to upload files |
Yes |
fba.apple.com |
443 | TCP | iOS, iPadOS, tvOS, and macOS |
Used by Feedback Assistant to file and view feedback |
Yes |
Apple devices might access the following host in order to perform diagnostics used to detect a possible hardware issue.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
diagassets.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Apple devices to help detect possible hardware issues | Yes |
In order to use encrypted Domain Name System (DNS) resolution in iOS 14, tvOS 14, and macOS Big Sur, the following host will be contacted.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
doh.dns.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used for DNS over HTTPS (DoH) | Yes |
In addition to the Apple ID hosts listed above, Apple devices must be able to connect to hosts in the following domains to use iCloud services.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.apple-cloudkit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.apple-livephotoskit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.apzones.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
*.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.gc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud.com.cn | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
*.icloud.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud-content.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.iwork.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iWork documents | — |
mask.icloud.com | 443 | UDP | iOS, iPadOS, macOS | iCloud Private Relay | — |
mask-h2.icloud.com | 443 | TCP | iOS, iPadOS, macOS | iCloud Private Relay | — |
mask-api.icloud.com | 443 | TCP | iOS, iPadOS, macOS | iCloud Private Relay | Yes |
Apple devices must be able to connect to the following hosts to download additional content. Some additional content might also be hosted on third-party content distribution networks.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
audiocontentdownload.apple.com | 80, 443 | TCP | iOS, iPadOS, and macOS | GarageBand downloadable content | — |
devimages-cdn.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
download.developer.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
playgrounds-assets-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
playgrounds-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
sylvan.apple.com | 80, 443 | TCP | tvOS only | Apple TV screen savers | — |
If your firewall supports using hostnames, you might be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.
You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.
Some of the hosts listed in this article may have CNAME records in DNS instead of A or AAAA records. These CNAME records may refer to other CNAME records in a chain before ultimately resolving to an IP address. This DNS resolution allows Apple to provide fast and reliable content delivery to users in all regions and is transparent to devices and proxy servers. Apple doesn't publish a list of these CNAME records because they are subject to change. You shouldn't need to configure your firewall or proxy server to allow them as long as you don't block DNS lookups and allow access to the hosts and domains named above.
https://support.apple.com/en-us/HT210060