Apple products on enterprise networks

Device setup

Apple devices need access to the following hosts during setup, or when installing, updating, or restoring the operating system.

HostsPortsProtocolOSDescriptionSupports proxies
albert.apple.com443TCPiOS, iPadOS, tvOS, and macOSDevice activationYes
captive.apple.com443, 80TCPiOS, iPadOS, tvOS, and macOSInternet connectivity validation for networks that use captive portalsYes
gs.apple.com443TCPiOS, iPadOS, tvOS, and macOS Yes
humb.apple.com443TCPiOS, iPadOS, tvOS, and macOS Yes
static.ips.apple.com443, 80TCPiOS, iPadOS, tvOS, and macOS Yes
sq-device.apple.com443TCPiOS and iPadOSeSIM activation
tbsc.apple.com443TCPiOS, iPadOS, tvOS, and macOS Yes
time-ios.apple.com123UDPiOS, iPadOS, and tvOSUsed by devices to set their date and time
time.apple.com123UDPiOS, iPadOS, tvOS, and macOSUsed by devices to set their date and time
time-macos.apple.com123UDPmacOS onlyUsed by devices to set their date and time

Device management

Apple devices enrolled in MDM need access to the following hosts and domains.

HostsPortsProtocolOSDescriptionSupports proxies
*.push.apple.com443, 80, 5223, 2197TCPiOS, iPadOS, tvOS, and macOSPush notificationsLearn more about APNs and proxies.
deviceenrollment.apple.com443TCPiOS, iPadOS, tvOS, and macOSDEP provisional enrollment
deviceservices-external.apple.com443TCPiOS, iPadOS, tvOS, and macOS 
gdmf.apple.com
443TCPiOS, iPadOS, tvOS, and macOSUsed by an MDM server to identify which software updates are available to devices that use managed software updatesYes
identity.apple.com443TCPiOS, iPadOS, tvOS, and macOSAPNs certificate request portalYes
iprofiles.apple.com443TCPiOS, iPadOS, tvOS, and macOSHosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device EnrollmentYes
mdmenrollment.apple.com443TCPiOS, iPadOS, tvOS, and macOSMDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accountsYes
setup.icloud.com443TCPiOS and iPadOSRequired to log in with a Managed Apple ID on Shared iPad
vpp.itunes.apple.com443TCPiOS, iPadOS, tvOS, and macOSMDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a deviceYes

Apple Business Manager and Apple School Manager

Administrators and managers need access to the following hosts and domains in order to administer and manage Apple Business Manager and Apple School Manager.

HostsPortsProtocolOSDescriptionSupports proxies
*.business.apple.com
443, 80TCPApple Business Manager
*.school.apple.com443, 80TCPApple School Manager
appleid.cdn-apple.com443TCPLogin authenticationYes
idmsa.apple.com443TCPLogin authenticationYes
*.itunes.apple.com443, 80TCPApps and BooksYes
*.mzstatic.com443TCPApps and Books
api.ent.apple.com443TCPApps and Books (ABM)
api.edu.apple.com443TCPApps and Books (ASM)
statici.icloud.com443TCPDevice icons
*.vertexsmb.com443TCPValidating tax-exempt status
www.apple.com443TCPFonts for certain languages
upload.appleschoolcontent.com22SSHSFTP uploadsYes

Employees and students using Managed Apple IDs need access to the following host in order to look up others in their business or school when composing messages or sharing documents.

HostsPortsProtocolOSDescriptionSupports proxies
ws-ee-maidsvc.icloud.com443, 80TCPiOS, iPadOS, and macOS
User lookup service

Apple Business Essentials device management

Administrators and devices managed by Apple Business Essentials need access to the following hosts and domains, along with those listed above for Apple Business Manager.

HostsPortsProtocolOSDescriptionSupports proxies
axm-adm-enroll.apple.com443TCPiOS, iPadOS, tvOS, and macOSDEP enrollment server
axm-adm-mdm.apple.com443TCPiOS, iPadOS, tvOS, and macOSMDM server
axm-adm-scep.apple.com443TCPiOS, iPadOS, tvOS, and macOSSCEP server
axm-app.apple.com443TCPiOS, iPadOS, and macOSView and manage apps and devices
*.apple-mapkit.com443TCPiOS and iPadOSView the location of devices in Managed Lost Mode
icons.axm-usercontent-apple.com443TCPmacOSCustom Package icons

Classroom and Schoolwork

Student and Teacher devices using the Classroom or Schoolwork apps need access to the following hosts, as well as those listed in the Apple ID and iCloud sections below.

HostsPortsProtocolOSDescriptionSupports proxies
s.mzstatic.com443TCPiPadOS and macOSClassroom and Schoolwork device verification
play.itunes.apple.com443TCPiPadOS and macOSClassroom and Schoolwork device verification
ws-ee-maidsvc.icloud.com443TCPiPadOS and macOSClassroom and Schoolwork class roster service
ws.school.apple.com443TCPiPadOS and macOSClassroom and Schoolwork class roster service
pg-bootstrap.itunes.apple.com443TCPiPadOSSchoolwork handout service
cls-iosclient.itunes.apple.com443TCPiPadOSSchoolwork handout service
cls-ingest.itunes.apple.com443TCPiPadOSSchoolwork handout service

Software updates

Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.

macOS, iOS, iPadOS, watchOS, and tvOS

Apple devices need access to the following hosts when installing, restoring, and updating iOS, iPadOS, macOS, watchOS, and tvOS.

HostsPortsProtocolOSDescriptionSupports proxies
appldnld.apple.com80TCPiOS, iPadOS, and watchOSiOS, iPadOS, and watchOS updates
configuration.apple.com443TCPmacOS onlyRosetta 2 updates
gdmf.apple.com443TCPiOS, iPadOS, tvOS, watchOS, and macOSSoftware update catalog
gg.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, and macOSiOS, iPadOS, tvOS, watchOS, and macOS updatesYes
gs.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, and macOSiOS, iPadOS, tvOS, watchOS, and macOS updatesYes
ig.apple.com443TCPmacOS onlymacOS updatesYes
mesu.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, and macOSHosts software update catalogs
ns.itunes.apple.com443TCPiOS, iPadOS, and watchOS Yes
oscdn.apple.com443, 80TCPmacOS onlymacOS Recovery
osrecovery.apple.com443, 80TCPmacOS onlymacOS Recovery
skl.apple.com443TCPmacOS onlymacOS updates
swcdn.apple.com443, 80TCPmacOS onlymacOS updates
swdist.apple.com443TCPmacOS onlymacOS updates
swdownload.apple.com443, 80TCPmacOS onlymacOS updatesYes
swscan.apple.com443TCPmacOS onlymacOS updates
updates-http.cdn-apple.com80TCPiOS, iPadOS, tvOS, and macOSSoftware update downloads
updates.cdn-apple.com443TCPiOS, iPadOS, tvOS, and macOSSoftware update downloads
xp.apple.com443TCPiOS, iPadOS, tvOS, and macOS Yes

App Store

Apple devices need access to the following hosts and domains for installing and updating apps.

HostsPortsProtocolOSDescriptionSupports proxies
*.itunes.apple.com443, 80TCPiOS, iPadOS, tvOS, and macOSStore content such as apps, books, and musicYes
*.apps.apple.com443TCPiOS, iPadOS, tvOS, and macOSStore content such as apps, books, and musicYes
*.mzstatic.com443TCPiOS, iPadOS, tvOS, and macOSStore content such as apps, books, and music
itunes.apple.com443, 80TCPiOS, iPadOS, tvOS, and macOS Yes
ppq.apple.com443TCPiOS, iPadOS, tvOS, and macOSEnterprise App validation

Carrier updates

Cellular devices need access to the following hosts to install carrier bundle updates.

HostsPortsProtocolOSDescriptionSupports proxies
appldnld.apple.com80TCPiOS and iPadOSCellular carrier bundle updates
appldnld.apple.com.edgesuite.net80TCPiOS and iPadOSCellular carrier bundle updates
itunes.com80TCPiOS and iPadOSCarrier bundle update discovery
itunes.apple.com443TCPiOS and iPadOSCarrier bundle update discovery
updates-http.cdn-apple.com80TCPiOS and iPadOSCellular carrier bundle updates
updates.cdn-apple.com443TCPiOS and iPadOSCellular carrier bundle updates

Content caching

A Mac that provides content caching needs access to the following hosts, as well as the hosts listed in this document that provide Apple content such as software updates, apps, and additional content.

HostsPortsProtocolOSDescriptionSupports proxies
lcdn-registration.apple.com443TCPmacOS onlyServer registrationYes
suconfig.apple.com80TCPmacOS only

Configuration
xp-cdn.apple.com443TCPmacOS onlyReportingYes

Clients of macOS content caching need access to the following hosts.

HostsPortsProtocolOSDescriptionSupports proxies
lcdn-locator.apple.com443TCPiOS, iPadOS, tvOS, and macOSContent caching locator service
serverstatus.apple.com
443TCPmacOS onlyContent caching client public IP determination

App features

Apple devices may need access to the following hosts to use certain app features. 

App notarization is required for apps to run on macOS 10.14 and later. Gatekeeper requires access to Apple servers to verify notarization, unless the app developer has stapled the notarization ticket to the app. App developers can learn more about customizing the notarization workflow.

App validation is used to certify that a valid instance of the app is running. App developers can learn more about establishing an app’s integrity.

HostsPortsProtocolOSDescriptionSupports proxies
api.apple-cloudkit.com443TCPmacOSApp notarization
*.appattest.apple.com443TCPiOS, iPadOS, and macOSApp validation, Touch ID and Face ID authentication for websites

Beta updates

Apple devices need access to the following hosts to sign in to Beta Updates and report feedback using the Feedback Assistant app.

HostsPortProtocolOSDescriptionSupports proxies
bpapi.apple.com443TCPiOS, iPadOS, tvOS, watchOS, and macOSBeta update enrollmentYes
cssubmissions.apple.com
443TCPiOS, iPadOS, tvOS, and macOSUsed by Feedback Assistant to upload files

Yes
fba.apple.com

443TCPiOS, iPadOS, tvOS, and macOS

Used by Feedback Assistant to file and view feedback

Yes

Apple diagnostics

Apple devices might access the following host in order to perform diagnostics used to detect a possible hardware issue.

HostsPortsProtocolOSDescriptionSupports proxies
diagassets.apple.com443TCPiOS, iPadOS, tvOS, and macOSUsed by Apple devices to help detect possible hardware issuesYes

Domain Name System resolution

Encrypted Domain Name System (DNS) resolution in iOS 14, iPadOS 14, tvOS 14, and macOS Big Sur and later uses the following host.

HostsPortsProtocolOSDescriptionSupports proxies
doh.dns.apple.com443TCPiOS, iPadOS, tvOS, and macOSUsed for DNS over HTTPS (DoH)Yes

Certificate validation

Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts in this article.

HostsPortsProtocolOSDescriptionSupports proxies
certs.apple.com80, 443TCPiOS, iPadOS, tvOS, and macOSCertificate validation
crl.apple.com80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
crl.entrust.net80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
crl3.digicert.com80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
crl4.digicert.com80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
ocsp.apple.com80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
ocsp.digicert.cn80TCPiOS, iPadOS, tvOS, and macOSCertificate validation in China
ocsp.digicert.com80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
ocsp.entrust.net80TCPiOS, iPadOS, tvOS, and macOSCertificate validation
ocsp2.apple.com443TCPiOS, iPadOS, tvOS, and macOSCertificate validation
valid.apple.com443TCPiOS, iPadOS, tvOS, and macOSCertificate validationYes

Apple ID

Apple devices must be able to connect to the following hosts in order to authenticate an Apple ID. This is required for all services that use an Apple ID, such as iCloud, app installation, and Xcode.

HostsPortsProtocolOSDescriptionSupports proxies
appleid.apple.com
443TCPiOS, iPadOS, tvOS, and macOS
Apple ID authentication in Settings and System Preferences
Yes
appleid.cdn-apple.com
443TCPiOS, iPadOS, tvOS, and macOS
Apple ID authentication in Settings and System Preferences
Yes
idmsa.apple.com443TCPiOS, iPadOS, tvOS, and macOSApple ID authenticationYes
gsa.apple.com443TCPiOS, iPadOS, tvOS, and macOSApple ID authenticationYes

iCloud

In addition to the Apple ID hosts listed above, Apple devices must be able to connect to hosts in the following domains to use iCloud services.

HostsPortsProtocolOSDescriptionSupports proxies
*.apple-cloudkit.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.apple-livephotoskit.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.apzones.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services in China
*.cdn-apple.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.gc.apple.com
443TCPiOS, iPadOS, tvOS, and macOS
iCloud services
*.icloud.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.icloud.com.cn
443TCPiOS, iPadOS, tvOS, and macOS
iCloud services in China
*.icloud.apple.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.icloud-content.com443TCPiOS, iPadOS, tvOS, and macOSiCloud services
*.iwork.apple.com443TCPiOS, iPadOS, tvOS, and macOSiWork documents
mask.icloud.com443UDPiOS, iPadOS, macOSiCloud Private Relay
mask-h2.icloud.com443TCPiOS, iPadOS, macOSiCloud Private Relay
mask-api.icloud.com443TCPiOS, iPadOS, macOSiCloud Private RelayYes

Siri and Search

Apple devices must be able to connect to the following hosts to process Siri requests, including dictation and searching in Apple apps.

HostsPortsProtocolOSDescriptionSupports proxies
guzzoni.apple.com443TCPiOS, iPadOS, and macOSSiri and dictation requests
*.smoot.apple.com443TCPiOS, iPadOS, and macOSSearch services, including Siri, Spotlight, Lookup, Safari, News, Messages and Music

Associated Domains

Apple devices must be able to connect to the following hosts to use Associated Domains in iOS 14, iPadOS 14, and macOS Big Sur and later. Associated Domains underpin universal links, a feature that allows an app to present content in place of all or part of its website. Handoff, App Clips, and single sign-on extensions all use Associated Domains.

HostsPortsProtocolOSDescriptionSupports proxies
app-site-association.cdn-apple.com443TCP, UDPiOS, iPadOS, and macOSAssociated domains for universal links
app-site-association.networking.apple443TCP, UDPiOS, iPadOS, and macOSAssociated domains for universal links

Tap to Pay on iPhone

To use a payment app to accept contactless payments, an iPhone must be able to reach the following hosts.

HostsPortsProtocolOSDescriptionSupports proxies
pos-device.apple.com443TCP, UDPiOSTap to Pay on iPhoneYes
humb.apple.com443TCPiOSTap to Pay on iPhone setupYes
phonesubmissions.apple.com443TCPiOSOptional analytics sharingYes

Additional content

Apple devices must be able to connect to the following hosts to download additional content. Some additional content might also be hosted on third-party content distribution networks.

HostsPortsProtocolOSDescriptionSupports proxies
audiocontentdownload.apple.com80, 443TCPiOS, iPadOS, and macOSGarageBand downloadable content
devimages-cdn.apple.com
80, 443TCPmacOS onlyXcode downloadable components
download.developer.apple.com80, 443TCPmacOS onlyXcode downloadable components
playgrounds-assets-cdn.apple.com443TCPiPadOS and macOSSwift Playgrounds
playgrounds-cdn.apple.com443TCPiPadOS and macOSSwift Playgrounds
sylvan.apple.com
80, 443TCPtvOS only
Apple TV screen savers

More at Apple HT210060