Use Apple products on enterprise networks

Learn which hosts and ports are required to use your Apple products on enterprise networks.

This article is intended for enterprise and education network administrators.

Apple products require access to the Internet hosts in this article for a variety of services. Here's how your devices connect to hosts and work with proxies:

  • Network connections to the hosts below are initiated by the device, not by hosts operated by Apple.
  • Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.

Make sure your Apple devices can access the hosts listed below.

Apple Push Notifications

Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Connections to APNs fail if devices are configured to use the HTTP proxy with a proxy auto-config (PAC) file.

Device setup

Access to the following hosts might be required when setting up your device, or when installing, updating or restoring the operating system.

Hosts Ports Protocol OS Description Supports proxies
albert.apple.com 443 TCP iOS, tvOS, and macOS   Yes
captive.apple.com 443, 80 TCP iOS, tvOS, and macOS Internet connectivity validation for networks that use captive portals. Yes
gs.apple.com 443 TCP iOS, tvOS, and macOS   Yes
humb.apple.com 443 TCP iOS, tvOS, and macOS   Yes
static.ips.apple.com 443, 80 TCP iOS, tvOS, and macOS   Yes
tbsc.apple.com 443 TCP macOS only   Yes
time-ios.apple.com 123 UDP iOS and tvOS only Used by devices to set their date and time
time.apple.com 123 UDP iOS, tvOS, and macOS Used by devices to set their date and time
time-macos.apple.com 123 UDP macOS only Used by devices to set their date and time

Device Management

Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM):

Hosts Ports Protocol OS Description Supports proxies
*.push.apple.com 443, 80, 5223, 2197 TCP iOS, tvOS, and macOS Push notifications Learn more about APNs and proxies.
gdmf.apple.com 443 TCP iOS, tvOS, and macOS MDM server to identify which software updates are available to devices that use managed software updates. Yes
deviceenrollment.apple.com 443 TCP iOS, tvOS, and macOS DEP provisional enrollment.
deviceservices-external.apple.com 443 TCP iOS, tvOS, and macOS  
identity.apple.com 443 TCP iOS, tvOS, and macOS APNs certificate request portal. Yes
iprofiles.apple.com 443 TCP iOS, tvOS, and macOS Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment Yes
mdmenrollment.apple.com 443 TCP iOS, tvOS, and macOS MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts. Yes
vpp.itunes.apple.com 443 TCP iOS, tvOS, and macOS MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device. Yes

Software updates

Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.

macOS, iOS, and tvOS

Network access to the following hostnames are required for installing, restoring, and updating macOS, iOS, and tvOS:

Hosts Ports Protocol OS Description Supports proxies
appldnld.apple.com 80 TCP iOS only iOS updates
gg.apple.com 443, 80 TCP macOS only macOS updates Yes
gnf-mdn.apple.com 443 TCP macOS only macOS updates Yes
gnf-mr.apple.com 443 TCP macOS only macOS updates Yes
gs.apple.com 443, 80 TCP macOS only macOS updates Yes
ig.apple.com 443 TCP macOS only macOS updates Yes
mesu.apple.com 443, 80 TCP iOS, tvOS, and macOS Hosts software update catalogs
ns.itunes.apple.com 443 TCP iOS only   Yes
oscdn.apple.com 443, 80 TCP macOS only macOS Recovery
osrecovery.apple.com 443, 80 TCP macOS only macOS Recovery
skl.apple.com 443 TCP macOS only macOS updates
swcdn.apple.com 80 TCP macOS only macOS updates
swdist.apple.com 443 TCP macOS only macOS updates
swdownload.apple.com 443, 80 TCP macOS only macOS updates Yes
swpost.apple.com 80 TCP macOS only macOS updates Yes
swscan.apple.com 443 TCP macOS only macOS updates
updates-http.cdn-apple.com 80 TCP iOS, tvOS, and macOS  
updates.apple.com 443 TCP iOS, tvOS, and macOS  
updates.cdn-apple.com 443 TCP iOS, tvOS, and macOS  
xp.apple.com 443 TCP iOS, tvOS, and macOS   Yes

App Store

Access to the following hosts might be required for updating apps:

Hosts Ports Protocol OS Description Supports proxies
*.itunes.apple.com 443, 80 TCP iOS, tvOS, and macOS Store content such as apps, books, and music Yes
*.apps.apple.com 443 TCP iOS, tvOS, and macOS Store content such as apps, books, and music Yes
*.mzstatic.com 443 TCP iOS, tvOS, and macOS Store content such as apps, books, and music
itunes.apple.com 443, 80 TCP iOS, tvOS, and macOS   Yes
ppq.apple.com 443 TCP iOS, tvOS, and macOS Enterprise App validation

Content caching

Access to the following host is required for a Mac that uses macOS content caching:

Hosts Ports Protocol OS Description Supports proxies
lcdn-registration.apple.com 443 TCP macOS only Content caching server registration Yes

App notarization

Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow:

Hosts Ports Protocol OS Description Supports proxies
17.248.128.0/18 443 TCP macOS only Ticket delivery
17.250.64.0/18 443 TCP macOS only Ticket delivery
17.248.192.0/19 443 TCP macOS only Ticket delivery

Certificate validation

Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts listed above:

Hosts Ports Protocol OS Description Supports proxies
crl.apple.com 80 TCP iOS, tvOS, and macOS Certificate validation
crl.entrust.net 80 TCP iOS, tvOS, and macOS Certificate validation
crl3.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
crl4.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.apple.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.digicert.com 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.entrust.net 80 TCP iOS, tvOS, and macOS Certificate validation
ocsp.verisign.net 80 TCP iOS, tvOS, and macOS Certificate validation

Firewalls

If your firewall supports using hostnames, you may be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.

HTTP proxy

You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.

Published Date: