Proxy/Firewall filter rules (e.g. - iOS updates)

[Innocence]

Hey all,

I'm sure this is relatively common knowledge, but my google-fu is letting me down.

Does anyone have the URL, IP and/or file type for iOS update downloads direct from Apple devices? We're moving to Apple devices and would like to allow users to directly update over our corporate WiFi, but it's obviously currently blocked by our content filters.

I'd open up *.apple.com, but generally try to avoid wildcards like that.

While I'm on the topic - anyone want to share what they use for trust-able and good resources for block/allow lists for content filters?

 

[Innocence]

Nobody?

Is everyone just running corporate access wild-west style these days? Or just using subscription based filter lists included in off-the-shelf products?

 

[Apachez]

Usually you want to isolate bad devices in their own physical network.

Also if doing content filtering then you should be able to take a dive into your logs to find out which url and/or filetype was being requested for this update to succeed.

 

[Rivera]

Update server is gs.apple.com, but it's cnamed to gs.apple.com.akadns.net (akamai CDN?)

 

[schnell]

I had to open all of apple with a wildcard like that to get it to work for me

using websense here btw

 

[Apachez]

If you use a PaloAlto device you should be able to combine the url-filter of *.apple.com with appid:apple-update to limit what you want to allow for your clients.

 

[tangoseal]

Cisco should sue Apple.

IOS belonged to Cisco way before apple stole it

I wouldn't open wildcards... way too many things can go wrong.

 

[Innocence]

Thanks guys

Trying the gs.apple.com and akamai domains.

 

[Apachez]

Cisco should sue Apple.

IOS belonged to Cisco way before apple stole it

I wouldn't open wildcards... way too many things can go wrong.

Actually they bought some license from cisco if im not mistaken to settle any future lawsuits (which is why I would assume you only see cisco vpn client as native client in ios long before any cryptoapi is available for the other vendors to use).

 

[Innocence]

opening up those 2 addressed unfortunately did not work....

 

[Nate7311]

Why not do a wireshark on a few machines running Apple updates and capture the DNS requests?

 

[Innocence]

Why not do a wireshark on a few machines running Apple updates and capture the DNS requests?

To be completely honest I assumed it would be relatively common knowledge and wanted to save myself the hassle.

If opening up *.apple.com doesn't work I'll do it, but to set up a dedicated test WAP (the old one got ganked to production as an urgent replacement), setup port monitoring, then burn through a packet capture is a bit of a process I was trying to avoid.