3rd September 2018: I keep this blog post as a historical document. Over the last two years it’s become more and more apparent that the “whack-a-mole” approach is more work than it’s worth. There’s a variety of new Apple URL’s appearing all the time and the maintenance work simply isn’t worth it.
My recommendation is to allow *.apple.com URL free passage to/from your network on 80 and 443. In particular it has to be the URL and I’ve other posts that explain why.
—
One of the tasks i’ve been working on is mapping a set of firewall rules to allow various Apple services to work within the confines a secure network environment. Apple’s recommended guidelines for enabling APNS to work in a corporate environment can be found here:
https://support.apple.com/en-us/HT203609
Let’s see, there’s some ports .. ok. The ENTIRE 17.x address range?
Now while i’m sure a lot of places would be ok with this (one of my former employers certainly was), there are some places rather more security conscious who are not. Of course things also get complicated when you look at the addresses systems like APNS are using and you find they’re merely CNAMES for other servers on the internet. You can quite easily find yourself being load balanced from servers that Akamai is hosting when you think you’re talking to Apple.
What this means is that I’m no longer happy with just having a range of IP addresses whitelisted on a corporate firewall. That led to to trying to track down exactly what addresses Apple has publicly exposed on their address range. Now some of this is original research but a lot is taken from areas such as iOS jailbreaking websites (which I do not condone myself) and an interesting q+a section from F5 Networks DevCentral where someone wrote a very basic APNS proxy.
Now while i’m not happy with whitelisting an entire address block, I am less happy again with the amount of addresses I found. I’ll list those below but before you get there, APNS alone has two gateway addresses and a further 200 50 (!) “courier” addresses all of which can point outside of Apple’s address range. (Changed to 50 as I found that addresses above that don’t respond to pings, but 1-50 do.)
Below is the list i’ve so far managed to compile. You have names, ports and probable uses. If anyone has more accurate information on any of this, I want to know and I can be contacted in the usual places.
| No | DNS | Ports Used | Used For |
| 1 | appleid.apple.com | Accounts.prefPane | |
| 2 | contacts.icloud.com | AddressBook.framework | |
| 3 | apsu.apple.com | AirPort Utility.app | |
| 4 | gsas.apple.com | 443 | akd |
| 5 | icloud.com | AOSKit.framework | |
| 6 | me.com | AOSKit.framework | |
| 7 | setup.icloud.com | AOSKit.framework | |
| 8 | fmip.me.com | AOSNotification.framework | |
| 9 | *.itunes.apple.com | App Store | |
| 10 | itunes.apple.com | App Store | |
| 11 | metrics.apple.com | App Store.app | |
| 12 | idmsa.apple.com | Apple ID authentication? | |
| 13 | identity.apple.com | AppleIDAuthAgent | |
| 14 | iphonediags.apple.com | AppleMobileDeviceHelper.app | |
| 15 | iphonesubmissions.apple.com | AppleMobileDeviceHelper.app | |
| 16 | init-p01st.push.apple.com | APNS Client Initialisation Server | |
| 17 | init-s01st.push.apple.com | APNS Client Initialisation Server (sandbox) | |
| 18 | lcdn-locator.apple.com | 443 | Asset Cache Locator Service |
| 19 | guzzoni.apple.com | AssistantServices.framework | |
| 20 | gsa.apple.com | 443 | AuthKit framework |
| 21 | lcdn-registration.apple.com | Caching Server Registration | |
| 22 | wu-calculator.apple.com | Calculator.app | |
| 23 | caldav.icloud.com | CalendarPersistence.framework | |
| 24 | ical.mac.com | CalendarPersistence.framework | |
| 25 | attwifi.apple.com | CaptiveNetworkSupport | |
| 26 | captive.apple.com | 80 | CaptiveNetworkSupport |
| 27 | suconfig.apple.com | 443 | cloudconfigurationd |
| 28 | configuration.apple.com | 443 | CloudKit / keyboardservicesd / GeoLocation / Photos Agent |
| 29 | ax.init.itunes.apple.com | CommerceKit.framework | |
| 30 | init.itunes.apple.com | CommerceKit.framework | |
| 31 | sandbox.itunes.apple.com | CommerceKit.framework | |
| 32 | su-itunes.apple.com | 443 | CommerceKit.framework |
| 33 | trackingshipment.apple.com | DataDetectors.framework | |
| 34 | acc-ipt.apple.com | DEP API Sign up | |
| 35 | api-applecareconnect-ept.apple.com | DEP API UAT | |
| 36 | api-applecareconnect-ept2.apple.com | DEP API UAT | |
| 37 | appleconnect.apple.com | 443 | DEP API Website |
| 38 | iprofiles.apple.com | 443 | DEP Enrollment Profile |
| 39 | lookup-api.apple.com | Dictionary.app | |
| 40 | commnat-cohort.ess.apple.com | 16386 | gamed |
| 41 | commnat-main.ess.apple.com | 16384:16385 | gamed |
| 42 | cp7vi.apple.com | GameKit.framework | |
| 43 | df6ed.apple.com | GameKit.framework | |
| 44 | gz8rm.apple.com | GameKit.framework | |
| 45 | init.gc.apple.com | GameKit.framework | |
| 46 | link.gc.apple.com | GameKit.framework | |
| 47 | static.gc.apple.com | GameKit.framework | |
| 48 | z2r0y.apple.com | GameKit.framework | |
| 49 | gsp-ssl.ls.apple.com | 443 | GeoServices.framework |
| 50 | gsp1.apple.com | 80 | GeoServices.framework |
| 51 | gsp17-2-ssl.apple.com | GeoServices.framework | |
| 52 | gsp17-ssl.apple.com | GeoServices.framework | |
| 53 | gspa21.ls.apple.com | GeoServices.framework | |
| 54 | gspa35-ssl.ls.apple.com | 443 | GeoServices.framework |
| 55 | gspe1-ssl.ls.apple.com | 443 | GeoServices.framework |
| 56 | gspe21.ls.apple.com | 80 | GeoServices.framework |
| 57 | gspe35-ssl.ls.apple.com | 443 | GeoServices.framework |
| 58 | help.apple.com | HelpData.framework | |
| 59 | helposx.apple.com | HelpData.framework | |
| 60 | helpqt.apple.com | HelpData.framework | |
| 61 | support.apple.com | HelpData.framework | |
| 62 | redcarpet.apple.com | HelpViewer.app | |
| 63 | iadsdk.apple.com | iAdCore.framework | |
| 64 | userpub.itunes.apple.com | iBooks.app | |
| 65 | vocabulary.itunes.apple.com | iBooks.app | |
| 66 | init-p01md.apple.com | IMFoundation.framework | |
| 67 | init.ess.apple.com | IMFoundation.framework | |
| 68 | bugreport.apple.com | IMLoggingAgent | |
| 69 | gil.apple.com | InternetAccounts.framework | |
| 70 | gs.apple.com | 80:443 | iOS update server |
| 71 | gg*.apple.com | 80:443 | iOS update servers |
| 72 | m3.mac.com | ISSupport.framework | |
| 73 | deimos3.apple.com | 443 | iTunes Store |
| 74 | phobos.apple.com | 443 | iTunes Store |
| 75 | cl-dev.apple.com | locationd | |
| 76 | cl2.apple.com | locationd | |
| 77 | cl3.apple.com | locationd | |
| 78 | gs-loc.apple.com | locationd | |
| 79 | gsp10-ssl.apple.com | locationd | |
| 80 | gsp9-ssl.apple.com | locationd | |
| 81 | iphone-ld.apple.com | locationd | |
| 82 | play.itunes.apple.com | 443 | locationd |
| 83 | lookup-api.apple.com | Lookup.framework | |
| 84 | feedback.apple.com | Mail.app | |
| 85 | mac-services.apple.com | MailCore.framework | |
| 86 | mesu.apple.com | 443 | Main Entry Software Update server |
| 87 | icalserver.apple.com | ManagedClient.app | |
| 88 | manifest2.inn.rdca.ls.apple.com | Maps.app | |
| 89 | mdmenrollment.apple.com | 443 | MDM / DEP |
| 90 | hello.connectivity.me.com | mDNSResponder | |
| 91 | appleconnect.apple.com | MobileDevice.framework | |
| 92 | albert.apple.com | 443 | OS X / iOS Activation Server |
| 93 | idisk.mac.com | OSServices.framework | |
| 94 | smp-device-content.apple.com | 443 | PassKitCore.framework |
| 95 | ink.apple.com | Print.framework | |
| 96 | qtsoftware.apple.com | QuickTime.framework | |
| 97 | quicktimepro.apple.com | QuickTime.framework | |
| 98 | qtpartners.apple.com | RTCReporting.framework | |
| 99 | extensions.apple.com | Safari.framework | |
| 100 | plugins.apple.com | Safari.framework | |
| 101 | public.me.com | ScreenReader.framework | |
| 102 | photocast.me.com | ScreenSaver.framework | |
| 103 | fdereg.apple.com | Security.framework | |
| 104 | timestamp.apple.com | Security.framework | |
| 105 | littlebuddy.apple.com | Setup Assistant.app | |
| 106 | static.ips.apple.com | Social.framework | |
| 107 | swcdnlocator.apple.com | SoftwareUpdate.framework | |
| 108 | swscan.apple.com | SoftwareUpdate.framework | |
| 109 | gdmf.apple.com | iOS Software Lookup Service | |
| 110 | p33-buy.itunes.apple.com | 443 | storeaccountd via CommerceKit.TransactionService.xpc |
| 111 | buy.itunes.apple.com | 443 | storeassetd |
| 112 | su.itunes.apple.com | 443 | storeassetd |
| 113 | osxapps.itunes.apple.com | 80 | storedownloadd |
| 114 | p24-buy-itunes.apple.com | 443 | storedownloadd |
| 115 | radarsubmissions.apple.com | SubmitDiagInfo | |
| 116 | depot.info.apple.com | System Information.app | |
| 117 | gnf-mdn.apple.com | 443 | Touchbar Install? |
| 118 | gnf-mr.apple.com | 443 | Touchbar Install? |
| 119 | ig.apple.com | 443 | Touchbar Install? |
| 120 | skl.apple.com | 443 | Touchbar Install? |
| 121 | gallery.me.com | WebCore.framework | |
| 122 | idisk.me.com | webdav_fs.kext | |
| 123 | iphone-wu.apple.com | WidgetResources | |
| 124 | wu-charts.apple.com | WidgetResources | |
| 125 | wu-converter.apple.com | WidgetResources | |
| 126 | wu-quotes.apple.com | WidgetResources | |
| 127 | wu-stocks.apple.com | WidgetResources | |
| 128 | wu.apple.com | WidgetResources | |
| 129 | api-glb-fra.smoot.apple.com | 443 | |
| 130 | api.smoot.apple.com | 443 | |
| 131 | crl.apple.com | ||
| 132 | deploy.apple.com | 443 | |
| 133 | iforgot.apple.com | ||
| 134 | maps.apple.com | ||
| 135 | pancake.apple.com | 443 | |
| 136 | pd-nk.itunes.apple.com | 443 | |
| 137 | swcdn.apple.com | 443 | |
| 138 | swdownload.apple.com | 443 | |
| 139 | swquery.apple.com | 443 | |
| 140 | xp.apple.com | 443 | |
| 141 | api.push.apple.com | 2197:443 | Push notification live sending server |
| 142 | gateway.push.apple.com | 2195:2196 | Push notification receive gateway |
| 143 | 1-courier.push.apple.com | 5223:443 | Push notification server |
| 144 | 2-courier.push.apple.com | 5223:443 | Push notification server |
| 145 | 3-courier.push.apple.com | 5223:443 | Push notification server |
| 146 | 4-courier.push.apple.com | 5223:443 | Push notification server |
| 147 | 5-courier.push.apple.com | 5223:443 | Push notification server |
| 148 | 6-courier.push.apple.com | 5223:443 | Push notification server |
| 149 | 7-courier.push.apple.com | 5223:443 | Push notification server |
| 150 | 8-courier.push.apple.com | 5223:443 | Push notification server |
| 151 | 9-courier.push.apple.com | 5223:443 | Push notification server |
| 152 | 10-courier.push.apple.com | 5223:443 | Push notification server |
| 153 | 11-courier.push.apple.com | 5223:443 | Push notification server |
| 154 | 12-courier.push.apple.com | 5223:443 | Push notification server |
| 155 | 13-courier.push.apple.com | 5223:443 | Push notification server |
| 156 | 14-courier.push.apple.com | 5223:443 | Push notification server |
| 157 | 15-courier.push.apple.com | 5223:443 | Push notification server |
| 158 | 16-courier.push.apple.com | 5223:443 | Push notification server |
| 159 | 17-courier.push.apple.com | 5223:443 | Push notification server |
| 160 | 18-courier.push.apple.com | 5223:443 | Push notification server |
| 161 | 19-courier.push.apple.com | 5223:443 | Push notification server |
| 162 | 20-courier.push.apple.com | 5223:443 | Push notification server |
| 163 | 21-courier.push.apple.com | 5223:443 | Push notification server |
| 164 | 22-courier.push.apple.com | 5223:443 | Push notification server |
| 165 | 23-courier.push.apple.com | 5223:443 | Push notification server |
| 166 | 24-courier.push.apple.com | 5223:443 | Push notification server |
| 167 | 25-courier.push.apple.com | 5223:443 | Push notification server |
| 168 | 26-courier.push.apple.com | 5223:443 | Push notification server |
| 169 | 27-courier.push.apple.com | 5223:443 | Push notification server |
| 170 | 28-courier.push.apple.com | 5223:443 | Push notification server |
| 171 | 29-courier.push.apple.com | 5223:443 | Push notification server |
| 172 | 30-courier.push.apple.com | 5223:443 | Push notification server |
| 173 | 31-courier.push.apple.com | 5223:443 | Push notification server |
| 174 | 32-courier.push.apple.com | 5223:443 | Push notification server |
| 175 | 33-courier.push.apple.com | 5223:443 | Push notification server |
| 176 | 34-courier.push.apple.com | 5223:443 | Push notification server |
| 177 | 35-courier.push.apple.com | 5223:443 | Push notification server |
| 178 | 36-courier.push.apple.com | 5223:443 | Push notification server |
| 179 | 37-courier.push.apple.com | 5223:443 | Push notification server |
| 180 | 38-courier.push.apple.com | 5223:443 | Push notification server |
| 181 | 39-courier.push.apple.com | 5223:443 | Push notification server |
| 182 | 40-courier.push.apple.com | 5223:443 | Push notification server |
| 183 | 41-courier.push.apple.com | 5223:443 | Push notification server |
| 184 | 42-courier.push.apple.com | 5223:443 | Push notification server |
| 185 | 43-courier.push.apple.com | 5223:443 | Push notification server |
| 186 | 44-courier.push.apple.com | 5223:443 | Push notification server |
| 187 | 45-courier.push.apple.com | 5223:443 | Push notification server |
| 188 | 46-courier.push.apple.com | 5223:443 | Push notification server |
| 189 | 47-courier.push.apple.com | 5223:443 | Push notification server |
| 190 | 48-courier.push.apple.com | 5223:443 | Push notification server |
| 191 | 49-courier.push.apple.com | 5223:443 | Push notification server |
| 192 | 50-courier.push.apple.com | 5223:443 | Push notification server |
| 193 | api.development.push.apple.com | 2197:443 | Push notification test sending server |
| 194 | gateway.sandbox.push.apple.com | 2195:2196 | Push notification test receive gateway |
| 195 | 1-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 196 | 2-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 197 | 3-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 198 | 4-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 199 | 5-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 200 | 6-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 201 | 7-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 202 | 8-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 203 | 9-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 204 | 10-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 205 | 11-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 206 | 12-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 207 | 13-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 208 | 14-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 209 | 15-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 210 | 16-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 211 | 17-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 212 | 18-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 213 | 19-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 214 | 20-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 215 | 21-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 216 | 22-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 217 | 23-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 218 | 24-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 219 | 25-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 220 | 26-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 221 | 27-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 222 | 28-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 223 | 29-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 224 | 30-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 225 | 31-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 226 | 32-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 227 | 33-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 228 | 34-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 229 | 35-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 230 | 36-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 231 | 37-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 232 | 38-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 233 | 39-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 234 | 40-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 235 | 41-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 236 | 42-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 237 | 43-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 238 | 44-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 239 | 45-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 240 | 46-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 241 | 47-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 242 | 48-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 243 | 49-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 244 | 50-courier.sandbox.push.apple.com | 5223:443 | Push notification test server |
| 245 | gdmf.apple.com/v2/pmv | 443 | iOS Update Catalog |
| *.thawte.com | 80 | Apple CA OCSP validation |
| *.geotrust.com | 80 | Apple CA OCSP validation |
| *.ws.symantec.com | 80 | Apple CA OCSP validation |
| *.symcb.com | 80 | Apple CA OCSP validation |
| *.symcd.com | 80 | Apple CA OCSP validation |
| EV-Intl-ocsp.verisign.com | 80 | Apple CA OCSP validation |
| EVSecure-ocsp.verisign.com | 80 | Apple CA OCSP validation |
3rd September 2018 Edit:
Well someone who prefers to be anonymous coward tipped me off about gdmf.apple.com/v2/pmv which appears to be a a list of iOS versions and what devices they’re available for. It’s readily readable through a web browser. There’s a good chance management service tools will require access to this as well.
10th September 2016 Edit:
Jason “zoocoup” Broccado has pointed out an interesting one to me. aaplimg.com
Now this resolves to three distinct Apple IP addresses. 17.178.96.39, 17.172.224.28 and 17.142.160.39 . Where things get interesting is if you run the following command from a macOS terminal window. You can use any of the IP’s just mentioned, as you’ll get the same result.
- host 17.178.96.39
You now end up with a list of a lot of Apple related domain names, most of which look like the kind of thing cybersquatters would have. A random example from this list is “lojaiphone.com.br”.
All of these redirect to apple.com main page or elsewhere. Cleverly some of these target specific parts of Apple’s main web page. Clever.
I wish I knew more about DNS than I currently do.
12th September 2016:
Found an interesting GitHub called “osxparanoia” thanks to investigating @carlashleyphoto ‘s twitter tip off. I’ll be incorporating the info (minus existing and non responsive addresses) there into the list.
25th September 2016:
A lot of the addresses didn’t have valid DNS names anymore (esp. APNS stuff) so they’ve been trimmed out.
28th September 2016:
I installed Little Snitch as a demo on my laptop and make careful note of extra addresses I didn’t have before 😉
30th September 2016:
Jason “zoocoup” Broccado has kindly found another server address while investigating all the Caching server issues going on at the moment.
28th November 2016:
Updates to courier address information plus updates OCSP certificate checking servers.
1st April 2017:
Ben “macmule” Toms provided a suspicious looking link on April Fool’s Day (using my own suspicions against me? Nicely done sir!) and found Apple requires certain addresses to support the new Touchbar Macs.
28th April 2017:
Cyril Niklaus provided some extra addresses today to do with software updates.
30th May 2017:
I’ve been investigating App Store connectivity and found a few interesting addresses being used. I also added in all the sandbox APNS addresses.
7th July 2017:
Brad Chapman on the Macadmins Slack instance tipped me off about the existence of two further addresses for APNS, which are used before the main courier addresses are contacted. I had them in the list but didn’t know what they were. Their descriptions have been updated.
22nd April 2018: Jason “zoocoup” Broccado tipped me off in the direction of Pepjin Bruienne who discovered this apple link in the MDM spec. https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/ManagedAppsUpdates/ManagedAppsUpdates.html#//apple_ref/doc/uid/TP40017387-CH10-SW44