- Use Apple products on enterprise networks
- Apple Push Notifications
- Device setup
- Device Management
- Apple School Manager and Apple Business Manager
- Apple Business Essentials device management
- Software updates
- macOS, iOS, and tvOS
- App Store
- Carrier updates
- Content caching
- Apple Developer
- Feedback Assistant
- Apple diagnostics
- Domain Name System resolution
- Certificate validation
- Apple ID
- iCloud
- Additional content
- Firewalls
- HTTP proxy
Use Apple products on enterprise networks
Learn which hosts and ports are required to use your Apple products on enterprise networks.
This article is intended for enterprise and education network administrators.
Apple products require access to the internet hosts in this article for a variety of services. Here’s how your devices connect to hosts and work with proxies:
- Network connections to the hosts below are initiated by the device, not by hosts operated by Apple.
- Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.
Make sure your Apple devices can access the hosts listed below.
Apple Push Notifications
Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Beginning with macOS 10.15.5, devices can connect to APNs when configured to use the HTTP proxy with a proxy auto-config (PAC) file.
Device setup
Access to the following hosts might be required when setting up your device, or when installing, updating, or restoring the operating system.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| albert.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Device activation | Yes |
| captive.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Internet connectivity validation for networks that use captive portals | Yes |
| gs.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
| humb.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
| static.ips.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
| sq-device.apple.com | 443 | TCP | iOS and iPadOS | eSIM activation | — |
| tbsc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
| time-ios.apple.com | 123 | UDP | iOS, iPadOS, and tvOS | Used by devices to set their date and time | — |
| time.apple.com | 123 | UDP | iOS, iPadOS, tvOS, and macOS | Used by devices to set their date and time | — |
| time-macos.apple.com | 123 | UDP | macOS only | Used by devices to set their date and time | — |
Device Management
Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM).
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| *.push.apple.com | 443, 80, 5223, 2197 | TCP | iOS, iPadOS, tvOS, and macOS | Push notifications | Learn more about APNs and proxies. |
| deviceenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP provisional enrollment | — |
| deviceservices-external.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | — | |
| gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by an MDM server to identify which software updates are available to devices that use managed software updates | Yes |
| identity.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | APNs certificate request portal | Yes |
| iprofiles.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment | Yes |
| mdmenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts | Yes |
| setup.icloud.com | 443 | TCP | iOS and iPadOS | Required to log in with a Managed Apple ID on Shared iPad | — |
| vpp.itunes.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device | Yes |
Apple School Manager and Apple Business Manager
Network access to the following hosts as well as the hosts in the App Store section is required for full functionality of Apple School Manager and Apple Business Manager.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
| *.business.apple.com | 443, 80 | TCP | — | Apple Business Manager | — |
| *.school.apple.com | 443, 80 | TCP | — | Schoolwork Roster service | — |
| isu.apple.com | 443, 80 | TCP | — | — | |
| ws-ee-maidsvc.icloud.com | 443, 80 | TCP | — | Schoolwork Roster service | — |
Apple Business Essentials device management
Network access to the following hosts is required for full functionality of Apple Business Essentials device management.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| axm-adm-enroll.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP enrollment server | — |
| axm-adm-mdm.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM server | — |
| axm-adm-scep.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | SCEP server | — |
| axm-app.apple.com | 443 | TCP | iOS, iPadOS, and macOS | Used by Apple Business Essentials to view and manage apps and devices | — |
Software updates
Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.
macOS, iOS, and tvOS
Network access to the following hostnames is required for installing, restoring, and updating macOS, iOS, and tvOS.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| appldnld.apple.com | 80 | TCP | iOS and iPadOS | iOS updates | — |
| configuration.apple.com | 443 | TCP | macOS only | Rosetta 2 updates | — |
| gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Software update catalog | — |
| gg.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | iOS, tvOS, and macOS updates | Yes |
| gnf-mdn.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| gnf-mr.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| gs.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | iOS, iPadOS, tvOS, and macOS updates | Yes |
| ig.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| mesu.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Hosts software update catalogs | — |
| ns.itunes.apple.com | 443 | TCP | iOS and iPadOS | Yes | |
| oscdn.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
| osrecovery.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
| skl.apple.com | 443 | TCP | macOS only | macOS updates | — |
| swcdn.apple.com | 80 | TCP | macOS only | macOS updates | — |
| swdist.apple.com | 443 | TCP | macOS only | macOS updates | — |
| swdownload.apple.com | 443, 80 | TCP | macOS only | macOS updates | Yes |
| swpost.apple.com | 80 | TCP | macOS only | macOS updates | Yes |
| swscan.apple.com | 443 | TCP | macOS only | macOS updates | — |
| updates-http.cdn-apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
| updates.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
| xp.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes |
App Store
Access to the following hosts might be required for updating apps.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| *.itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
| *.apps.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
| *.mzstatic.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | — |
| itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
| ppq.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Enterprise App validation | — |
Carrier updates
Cellular devices must be able to connect to the following hosts to install carrier bundle updates.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| appldnld.apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
| appldnld.apple.com.edgesuite.net | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
| itunes.com | 80 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
| itunes.apple.com | 443 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
| updates-http.cdn-apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
| updates.cdn-apple.com | 443 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
Content caching
A Mac that provides content caching must be able to connect to the following hosts, as well as the hosts listed in this document that provide Apple content such as software updates, apps, and additional content.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| lcdn-registration.apple.com | 443 | TCP | macOS only | Server registration | Yes |
| suconfig.apple.com | 80 | TCP | macOS only |
Clients of macOS content caching must be able to connect to the following hosts.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| lcdn-locator.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Content caching locator service | — |
| serverstatus.apple.com | 443 | TCP | macOS only | Content caching client public IP determination | — |
Apple Developer
Access to the following hosts is required for app notarization and app validation.
App notarization
Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| 17.248.128.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
| 17.250.64.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
| 17.248.192.0/19 | 443 | TCP | macOS only | Ticket delivery | — |
App validation
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
| *.appattest.apple.com | 443 | TCP | iOS, iPadOS, and macOS | App validation, Touch ID and Face ID authentication for websites | — |
Feedback Assistant
Feedback Assistant is an app used by developers and members of the beta software programs to report feedback to Apple. It uses the following hosts:
| Hosts | Port | Protocol | OS | Description | Supports proxies |
| bpapi.apple.com | 443 | TCP | tvOS only | Provides beta software updates | Yes |
| cssubmissions.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Feedback Assistant to upload files |
Apple diagnostics
Apple devices might access the following host in order to perform diagnostics used to detect a possible hardware issue.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
| diagassets.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Apple devices to help detect possible hardware issues | Yes |
Domain Name System resolution
In order to use encrypted Domain Name System (DNS) resolution in iOS 14, tvOS 14, and macOS Big Sur, the following host will be contacted.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
| doh.dns.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used for DNS over HTTPS (DoH) | Yes |
Certificate validation
Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts in this article.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| certs.apple.com | 80, 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| crl.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| crl.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| crl3.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| crl4.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| ocsp.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| ocsp.digicert.cn | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation in China | — |
| ocsp.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| ocsp.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| ocsp2.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
| valid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | Yes |
Apple ID
Apple devices must be able to connect to the following hosts in order to authenticate an Apple ID. This is required for all services that use an Apple ID, such as iCloud, app installation, and Xcode.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| appleid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
| appleid.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
| idmsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
| gsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
iCloud
In addition to the Apple ID hosts listed above, Apple devices must be able to connect to hosts in the following domains to use iCloud services.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| *.apple-cloudkit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.apple-livephotoskit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.apzones.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
| *.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.gc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.icloud.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.icloud.com.cn | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
| *.icloud.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.icloud-content.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
| *.iwork.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iWork documents | — |
Additional content
Apple devices must be able to connect to the following hosts to download additional content. Some additional content might also be hosted on third-party content distribution networks.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| audiocontentdownload.apple.com | 80, 443 | TCP | iOS, iPadOS, and macOS | GarageBand downloadable content | — |
| devimages-cdn.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
| download.developer.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
| playgrounds-assets-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
| playgrounds-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
| sylvan.apple.com | 80, 443 | TCP | tvOS only | Apple TV screen savers | — |
Firewalls
If your firewall supports using hostnames, you might be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.
HTTP proxy
You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.
Источник
