Mac App Store and OS updates blocked

Hello,

I am attempting to update company-owned macOS devices to the current operating system and believe that the client connector is blocking the connection. I’m also unable to connect to the app store unless I disable the client connector. I have bypassed the recommended IPs suggested by zscaler but am still having an issue. Am I missing any additional required IPs?

Hello Joe,

did you check Certificate Pinning and SSL Inspection | Zscaler? There are dedicated URLs listed for Apple App Store. I would recommend to create a custom URL category containing all (or a subset) of these URLs and exempt it from SSL inspection. Then give it a try.

BR
Manuel

Hi Joe - In addition to what Manuel noted with SSL Bypasses, you may also want to check to make sure you’ve allowed all the URLs below which is also available on Apple’s site. Domain names are a much easier way than IP address blocks to configure the bypasses. Some of these locations don’t support proxies at all (which may or may not be because of the pinned cert), so I am referring to using App Profile in the Mobile Portal to bypass these destinations entirely and assume you are referring to Macs running ZCC agent.

In my experience, most people simply bypass *.apple.com and forget *.cdn-apple.com or if you prefer to be more surgical; updates.cdn-apple.com and updates-http.cdn.apple.com.

macOS, iOS, iPadOS, watchOS, and tvOS

Network access to the following hostnames is required for installing, restoring, and updating macOS, iOS, iPadOS, watchOS, and tvOS.

Hosts Ports Protocol OS Description Supports proxies
appldnld.apple.com 80 TCP iOS, iPadOS, and watchOS iOS, iPadOS, and watchOS updates
configuration.apple.com 443 TCP macOS only Rosetta 2 updates
gdmf.apple.com 443 TCP iOS, iPadOS, tvOS, watchOS, and macOS Software update catalog
gg.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS iOS, iPadOS, tvOS, watchOS, and macOS updates Yes
gnf-mdn.apple.com 443 TCP macOS only macOS updates Yes
gnf-mr.apple.com 443 TCP macOS only macOS updates Yes
gs.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS iOS, iPadOS, tvOS, watchOS, and macOS updates Yes
ig.apple.com 443 TCP macOS only macOS updates Yes
mesu.apple.com 443, 80 TCP iOS, iPadOS, tvOS, watchOS, and macOS Hosts software update catalogs
ns.itunes.apple.com 443 TCP iOS, iPadOS, and watchOS Yes
oscdn.apple.com 443, 80 TCP macOS only macOS Recovery
osrecovery.apple.com 443, 80 TCP macOS only macOS Recovery
skl.apple.com 443 TCP macOS only macOS updates
swcdn.apple.com 80 TCP macOS only macOS updates
swdist.apple.com 443 TCP macOS only macOS updates
swdownload.apple.com 443, 80 TCP macOS only macOS updates Yes
swscan.apple.com 443 TCP macOS only macOS updates
updates-http.cdn-apple.com 80 TCP iOS, iPadOS, tvOS, and macOS Software update downloads
updates.cdn-apple.com 443 TCP iOS, iPadOS, tvOS, and macOS Software update downloads
xp.apple.com 443 TCP iOS, iPadOS, tvOS, and macOS