Apple products on enterprise networks
Device setup
Apple devices need access to the following hosts during setup, or when installing, updating, or restoring the operating system.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
albert.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Device activation | Yes |
captive.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Internet connectivity validation for networks that use captive portals | Yes |
gs.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
humb.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
static.ips.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
sq-device.apple.com | 443 | TCP | iOS and iPadOS | eSIM activation | — |
tbsc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
time-ios.apple.com | 123 | UDP | iOS, iPadOS, and tvOS | Used by devices to set their date and time | — |
time.apple.com | 123 | UDP | iOS, iPadOS, tvOS, and macOS | Used by devices to set their date and time | — |
time-macos.apple.com | 123 | UDP | macOS only | Used by devices to set their date and time | — |
Device management
Apple devices enrolled in MDM need access to the following hosts and domains.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.push.apple.com | 443, 80, 5223, 2197 | TCP | iOS, iPadOS, tvOS, and macOS | Push notifications | Learn more about APNs and proxies. |
deviceenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP provisional enrollment | — |
deviceservices-external.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | — | |
gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by an MDM server to identify which software updates are available to devices that use managed software updates | Yes |
identity.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | APNs certificate request portal | Yes |
iprofiles.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment | Yes |
mdmenrollment.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts | Yes |
setup.icloud.com | 443 | TCP | iOS and iPadOS | Required to log in with a Managed Apple ID on Shared iPad | — |
vpp.itunes.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device | Yes |
Apple Business Manager and Apple School Manager
Administrators and managers need access to the following hosts and domains in order to administer and manage Apple Business Manager and Apple School Manager.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.business.apple.com | 443, 80 | TCP | – | Apple Business Manager | — |
*.school.apple.com | 443, 80 | TCP | – | Apple School Manager | — |
appleid.cdn-apple.com | 443 | TCP | – | Login authentication | Yes |
idmsa.apple.com | 443 | TCP | – | Login authentication | Yes |
*.itunes.apple.com | 443, 80 | TCP | – | Apps and Books | Yes |
*.mzstatic.com | 443 | TCP | – | Apps and Books | — |
api.ent.apple.com | 443 | TCP | – | Apps and Books (ABM) | — |
api.edu.apple.com | 443 | TCP | – | Apps and Books (ASM) | — |
statici.icloud.com | 443 | TCP | – | Device icons | — |
*.vertexsmb.com | 443 | TCP | – | Validating tax-exempt status | — |
www.apple.com | 443 | TCP | – | Fonts for certain languages | — |
upload.appleschoolcontent.com | 22 | SSH | – | SFTP uploads | Yes |
Employees and students using Managed Apple IDs need access to the following host in order to look up others in their business or school when composing messages or sharing documents.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
ws-ee-maidsvc.icloud.com | 443, 80 | TCP | iOS, iPadOS, and macOS | User lookup service | — |
Apple Business Essentials device management
Administrators and devices managed by Apple Business Essentials need access to the following hosts and domains, along with those listed above for Apple Business Manager.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
axm-adm-enroll.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | DEP enrollment server | — |
axm-adm-mdm.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | MDM server | — |
axm-adm-scep.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | SCEP server | — |
axm-app.apple.com | 443 | TCP | iOS, iPadOS, and macOS | View and manage apps and devices | — |
*.apple-mapkit.com | 443 | TCP | iOS and iPadOS | View the location of devices in Managed Lost Mode | — |
icons.axm-usercontent-apple.com | 443 | TCP | macOS | Custom Package icons | — |
Classroom and Schoolwork
Student and Teacher devices using the Classroom or Schoolwork apps need access to the following hosts, as well as those listed in the Apple ID and iCloud sections below.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
s.mzstatic.com | 443 | TCP | iPadOS and macOS | Classroom and Schoolwork device verification | — |
play.itunes.apple.com | 443 | TCP | iPadOS and macOS | Classroom and Schoolwork device verification | — |
ws-ee-maidsvc.icloud.com | 443 | TCP | iPadOS and macOS | Classroom and Schoolwork class roster service | — |
ws.school.apple.com | 443 | TCP | iPadOS and macOS | Classroom and Schoolwork class roster service | — |
pg-bootstrap.itunes.apple.com | 443 | TCP | iPadOS | Schoolwork handout service | — |
cls-iosclient.itunes.apple.com | 443 | TCP | iPadOS | Schoolwork handout service | — |
cls-ingest.itunes.apple.com | 443 | TCP | iPadOS | Schoolwork handout service | — |
Software updates
Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.
macOS, iOS, iPadOS, watchOS, and tvOS
Apple devices need access to the following hosts when installing, restoring, and updating iOS, iPadOS, macOS, watchOS, and tvOS.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appldnld.apple.com | 80 | TCP | iOS, iPadOS, and watchOS | iOS, iPadOS, and watchOS updates | — |
configuration.apple.com | 443 | TCP | macOS only | Rosetta 2 updates | — |
gdmf.apple.com | 443 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | Software update catalog | — |
gg.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | iOS, iPadOS, tvOS, watchOS, and macOS updates | Yes |
gs.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | iOS, iPadOS, tvOS, watchOS, and macOS updates | Yes |
ig.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
mesu.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | Hosts software update catalogs | — |
ns.itunes.apple.com | 443 | TCP | iOS, iPadOS, and watchOS | Yes | |
oscdn.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
osrecovery.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
skl.apple.com | 443 | TCP | macOS only | macOS updates | — |
swcdn.apple.com | 443, 80 | TCP | macOS only | macOS updates | — |
swdist.apple.com | 443 | TCP | macOS only | macOS updates | — |
swdownload.apple.com | 443, 80 | TCP | macOS only | macOS updates | Yes |
swscan.apple.com | 443 | TCP | macOS only | macOS updates | — |
updates-http.cdn-apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
updates.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Software update downloads | — |
xp.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Yes |
App Store
Apple devices need access to the following hosts and domains for installing and updating apps.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
*.apps.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
*.mzstatic.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Store content such as apps, books, and music | — |
itunes.apple.com | 443, 80 | TCP | iOS, iPadOS, tvOS, and macOS | Yes | |
ppq.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Enterprise App validation | — |
Carrier updates
Cellular devices need access to the following hosts to install carrier bundle updates.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appldnld.apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
appldnld.apple.com.edgesuite.net | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
itunes.com | 80 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
itunes.apple.com | 443 | TCP | iOS and iPadOS | Carrier bundle update discovery | — |
updates-http.cdn-apple.com | 80 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
updates.cdn-apple.com | 443 | TCP | iOS and iPadOS | Cellular carrier bundle updates | — |
Content caching
A Mac that provides content caching needs access to the following hosts, as well as the hosts listed in this document that provide Apple content such as software updates, apps, and additional content.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
lcdn-registration.apple.com | 443 | TCP | macOS only | Server registration | Yes |
suconfig.apple.com | 80 | TCP | macOS only | Configuration | — |
xp-cdn.apple.com | 443 | TCP | macOS only | Reporting | Yes |
Clients of macOS content caching need access to the following hosts.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
lcdn-locator.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Content caching locator service | — |
serverstatus.apple.com | 443 | TCP | macOS only | Content caching client public IP determination | — |
App features
Apple devices may need access to the following hosts to use certain app features.
App notarization is required for apps to run on macOS 10.14 and later. Gatekeeper requires access to Apple servers to verify notarization, unless the app developer has stapled the notarization ticket to the app. App developers can learn more about customizing the notarization workflow.
App validation is used to certify that a valid instance of the app is running. App developers can learn more about establishing an app’s integrity.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
api.apple-cloudkit.com | 443 | TCP | macOS | App notarization | — |
*.appattest.apple.com | 443 | TCP | iOS, iPadOS, and macOS | App validation, Touch ID and Face ID authentication for websites | — |
Beta updates
Apple devices need access to the following hosts to sign in to Beta Updates and report feedback using the Feedback Assistant app.
Hosts | Port | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
bpapi.apple.com | 443 | TCP | iOS, iPadOS, tvOS, watchOS, and macOS | Beta update enrollment | Yes |
cssubmissions.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Feedback Assistant to upload files | Yes |
fba.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Feedback Assistant to file and view feedback | Yes |
Apple diagnostics
Apple devices might access the following host in order to perform diagnostics used to detect a possible hardware issue.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
diagassets.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used by Apple devices to help detect possible hardware issues | Yes |
Domain Name System resolution
Encrypted Domain Name System (DNS) resolution in iOS 14, iPadOS 14, tvOS 14, and macOS Big Sur and later uses the following host.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
doh.dns.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Used for DNS over HTTPS (DoH) | Yes |
Certificate validation
Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts in this article.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
certs.apple.com | 80, 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl3.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
crl4.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.apple.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.digicert.cn | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation in China | — |
ocsp.digicert.com | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp.entrust.net | 80 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
ocsp2.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | — |
valid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Certificate validation | Yes |
Apple ID
Apple devices must be able to connect to the following hosts in order to authenticate an Apple ID. This is required for all services that use an Apple ID, such as iCloud, app installation, and Xcode.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
appleid.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
appleid.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication in Settings and System Preferences | Yes |
idmsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
gsa.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | Apple ID authentication | Yes |
iCloud
In addition to the Apple ID hosts listed above, Apple devices must be able to connect to hosts in the following domains to use iCloud services.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
*.apple-cloudkit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.apple-livephotoskit.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.apzones.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
*.cdn-apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.gc.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud.com.cn | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services in China | — |
*.icloud.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.icloud-content.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iCloud services | — |
*.iwork.apple.com | 443 | TCP | iOS, iPadOS, tvOS, and macOS | iWork documents | — |
mask.icloud.com | 443 | UDP | iOS, iPadOS, macOS | iCloud Private Relay | — |
mask-h2.icloud.com | 443 | TCP | iOS, iPadOS, macOS | iCloud Private Relay | — |
mask-api.icloud.com | 443 | TCP | iOS, iPadOS, macOS | iCloud Private Relay | Yes |
Siri and Search
Apple devices must be able to connect to the following hosts to process Siri requests, including dictation and searching in Apple apps.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
guzzoni.apple.com | 443 | TCP | iOS, iPadOS, and macOS | Siri and dictation requests | — |
*.smoot.apple.com | 443 | TCP | iOS, iPadOS, and macOS | Search services, including Siri, Spotlight, Lookup, Safari, News, Messages and Music | — |
Associated Domains
Apple devices must be able to connect to the following hosts to use Associated Domains in iOS 14, iPadOS 14, and macOS Big Sur and later. Associated Domains underpin universal links, a feature that allows an app to present content in place of all or part of its website. Handoff, App Clips, and single sign-on extensions all use Associated Domains.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
app-site-association.cdn-apple.com | 443 | TCP, UDP | iOS, iPadOS, and macOS | Associated domains for universal links | — |
app-site-association.networking.apple | 443 | TCP, UDP | iOS, iPadOS, and macOS | Associated domains for universal links | — |
Tap to Pay on iPhone
To use a payment app to accept contactless payments, an iPhone must be able to reach the following hosts.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
pos-device.apple.com | 443 | TCP, UDP | iOS | Tap to Pay on iPhone | Yes |
humb.apple.com | 443 | TCP | iOS | Tap to Pay on iPhone setup | Yes |
phonesubmissions.apple.com | 443 | TCP | iOS | Optional analytics sharing | Yes |
Additional content
Apple devices must be able to connect to the following hosts to download additional content. Some additional content might also be hosted on third-party content distribution networks.
Hosts | Ports | Protocol | OS | Description | Supports proxies |
---|---|---|---|---|---|
audiocontentdownload.apple.com | 80, 443 | TCP | iOS, iPadOS, and macOS | GarageBand downloadable content | — |
devimages-cdn.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
download.developer.apple.com | 80, 443 | TCP | macOS only | Xcode downloadable components | — |
playgrounds-assets-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
playgrounds-cdn.apple.com | 443 | TCP | iPadOS and macOS | Swift Playgrounds | — |
sylvan.apple.com | 80, 443 | TCP | tvOS only | Apple TV screen savers | — |