This article is intended for enterprise and education network administrators.
Apple products require access to the Internet hosts in this article for a variety of services. Here's how your devices connect to hosts and work with proxies:
- Network connections to the hosts below are initiated by the device, not by hosts operated by Apple.
- Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.
Make sure your Apple devices can access the hosts listed below.
Apple Push Notifications
Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Connections to APNs fail if devices are configured to use the HTTP proxy with a proxy auto-config (PAC) file.
Access to the following hosts might be required when setting up your device, or when installing, updating or restoring the operating system.
|albert.apple.com||443||TCP||iOS, tvOS, and macOS||Yes|
|captive.apple.com||443, 80||TCP||iOS, tvOS, and macOS||Internet connectivity validation for networks that use captive portals.||Yes|
|gs.apple.com||443||TCP||iOS, tvOS, and macOS||Yes|
|humb.apple.com||443||TCP||iOS, tvOS, and macOS||Yes|
|static.ips.apple.com||443, 80||TCP||iOS, tvOS, and macOS||Yes|
|time-ios.apple.com||123||UDP||iOS and tvOS only||Used by devices to set their date and time||—|
|time.apple.com||123||UDP||iOS, tvOS, and macOS||Used by devices to set their date and time||—|
|time-macos.apple.com||123||UDP||macOS only||Used by devices to set their date and time||—|
Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM):
|*.push.apple.com||443, 80, 5223, 2197||TCP||iOS, tvOS, and macOS||Push notifications||Learn more about APNs and proxies.|
|gdmf.apple.com||443||TCP||iOS, tvOS, and macOS||MDM server to identify which software updates are available to devices that use managed software updates.||Yes|
|deviceenrollment.apple.com||443||TCP||iOS, tvOS, and macOS||DEP provisional enrollment.||—|
|deviceservices-external.apple.com||443||TCP||iOS, tvOS, and macOS||—|
|identity.apple.com||443||TCP||iOS, tvOS, and macOS||APNs certificate request portal.||Yes|
|iprofiles.apple.com||443||TCP||iOS, tvOS, and macOS||Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment||Yes|
|mdmenrollment.apple.com||443||TCP||iOS, tvOS, and macOS||MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts.||Yes|
|vpp.itunes.apple.com||443||TCP||iOS, tvOS, and macOS||MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device.||Yes|
Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.
macOS, iOS, and tvOS
Network access to the following hostnames are required for installing, restoring, and updating macOS, iOS, and tvOS:
|appldnld.apple.com||80||TCP||iOS only||iOS updates||—|
|gg.apple.com||443, 80||TCP||macOS only||macOS updates||Yes|
|gnf-mdn.apple.com||443||TCP||macOS only||macOS updates||Yes|
|gnf-mr.apple.com||443||TCP||macOS only||macOS updates||Yes|
|gs.apple.com||443, 80||TCP||macOS only||macOS updates||Yes|
|ig.apple.com||443||TCP||macOS only||macOS updates||Yes|
|mesu.apple.com||443, 80||TCP||iOS, tvOS, and macOS||Hosts software update catalogs||—|
|oscdn.apple.com||443, 80||TCP||macOS only||macOS Recovery||—|
|osrecovery.apple.com||443, 80||TCP||macOS only||macOS Recovery||—|
|skl.apple.com||443||TCP||macOS only||macOS updates||—|
|swcdn.apple.com||80||TCP||macOS only||macOS updates||—|
|swdist.apple.com||443||TCP||macOS only||macOS updates||—|
|swdownload.apple.com||443, 80||TCP||macOS only||macOS updates||Yes|
|swpost.apple.com||80||TCP||macOS only||macOS updates||Yes|
|swscan.apple.com||443||TCP||macOS only||macOS updates||—|
|updates-http.cdn-apple.com||80||TCP||iOS, tvOS, and macOS||—|
|updates.apple.com||443||TCP||iOS, tvOS, and macOS||—|
|updates.cdn-apple.com||443||TCP||iOS, tvOS, and macOS||—|
|xp.apple.com||443||TCP||iOS, tvOS, and macOS||Yes|
Access to the following hosts might be required for updating apps:
|*.itunes.apple.com||443, 80||TCP||iOS, tvOS, and macOS||Store content such as apps, books, and music||Yes|
|*.apps.apple.com||443||TCP||iOS, tvOS, and macOS||Store content such as apps, books, and music||Yes|
|*.mzstatic.com||443||TCP||iOS, tvOS, and macOS||Store content such as apps, books, and music||—|
|itunes.apple.com||443, 80||TCP||iOS, tvOS, and macOS||Yes|
|ppq.apple.com||443||TCP||iOS, tvOS, and macOS||Enterprise App validation||—|
Access to the following host is required for a Mac that uses macOS content caching:
|lcdn-registration.apple.com||443||TCP||macOS only||Content caching server registration||Yes|
Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow:
|220.127.116.11/18||443||TCP||macOS only||Ticket delivery||—|
|18.104.22.168/18||443||TCP||macOS only||Ticket delivery||—|
|22.214.171.124/19||443||TCP||macOS only||Ticket delivery||—|
Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts listed above:
|crl.apple.com||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|crl.entrust.net||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|crl3.digicert.com||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|crl4.digicert.com||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|ocsp.apple.com||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|ocsp.digicert.com||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|ocsp.entrust.net||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
|ocsp.verisign.net||80||TCP||iOS, tvOS, and macOS||Certificate validation||—|
If your firewall supports using hostnames, you may be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 126.96.36.199/8. The entire 188.8.131.52/8 address block is assigned to Apple.
You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.