Apple 17.0.0.0/8 Services

One of the tasks i’ve been working on is mapping a set of firewall rules to allow various Apple services to work within the confines a secure network environment. Apple’s recommended guidelines for enabling APNS to work in a corporate environment can be found here:

https://support.apple.com/en-us/HT203609

Let’s see, there’s some ports .. ok. The ENTIRE 17.x address range?

Now while i’m sure a lot of places would be ok with this (one of my former employers certainly was), there are some places rather more security conscious who are not. Of course things also get complicated when you look at the addresses systems like APNS are using and you find they’re merely CNAMES for other servers on the internet. You can quite easily find yourself being load balanced from servers that Akamai is hosting when you think you’re talking to Apple.

What this means is that I’m no longer happy with just having a range of IP addresses whitelisted on a corporate firewall. That led to to trying to track down exactly what addresses Apple has publicly exposed on their address range. Now some of this is original research but a lot is taken from areas such as iOS jailbreaking websites (which I do not condone myself) and an interesting q+a section from F5 Networks DevCentral where someone wrote a very basic APNS proxy.

Now while i’m not happy with whitelisting an entire address block, I am less happy again with the amount of addresses I found. I’ll list those below but before you get there, APNS alone has two gateway addresses and a further 200 50 (!) “courier” addresses all of which can point outside of Apple’s address range. (Changed to 50 as I found that addresses above that don’t respond to pings, but 1-50 do.)

Below is the list i’ve so far managed to compile. You have names, ports and probable uses. If anyone has more accurate information on any of this, I want to know and I can be contacted in the usual places.

No DNS Ports Used Used For
1 appleid.apple.com Accounts.prefPane
2 contacts.icloud.com AddressBook.framework
3 apsu.apple.com AirPort Utility.app
4 gsas.apple.com 443 akd
5 icloud.com AOSKit.framework
6 me.com AOSKit.framework
7 setup.icloud.com AOSKit.framework
8 fmip.me.com AOSNotification.framework
9 *.itunes.apple.com App Store
10 itunes.apple.com App Store
11 metrics.apple.com App Store.app
12 idmsa.apple.com Apple ID authentication?
13 identity.apple.com AppleIDAuthAgent
14 iphonediags.apple.com AppleMobileDeviceHelper.app
15 iphonesubmissions.apple.com AppleMobileDeviceHelper.app
16 init-p01st.push.apple.com APNS Client Initialisation Server
17 init-s01st.push.apple.com APNS Client Initialisation Server (sandbox)
18 lcdn-locator.apple.com 443 Asset Cache Locator Service
19 guzzoni.apple.com AssistantServices.framework
20 gsa.apple.com 443 AuthKit framework
21 lcdn-registration.apple.com Caching Server Registration
22 wu-calculator.apple.com Calculator.app
23 caldav.icloud.com CalendarPersistence.framework
24 ical.mac.com CalendarPersistence.framework
25 attwifi.apple.com CaptiveNetworkSupport
26 captive.apple.com 80 CaptiveNetworkSupport
27 suconfig.apple.com 443 cloudconfigurationd
28 configuration.apple.com 443 CloudKit / keyboardservicesd / GeoLocation / Photos Agent
29 ax.init.itunes.apple.com CommerceKit.framework
30 init.itunes.apple.com CommerceKit.framework
31 sandbox.itunes.apple.com CommerceKit.framework
32 su-itunes.apple.com 443 CommerceKit.framework
33 trackingshipment.apple.com DataDetectors.framework
34 acc-ipt.apple.com DEP API Sign up
35 api-applecareconnect-ept.apple.com DEP API UAT
36 api-applecareconnect-ept2.apple.com DEP API UAT
37 appleconnect.apple.com 443 DEP API Website
38 iprofiles.apple.com 443 DEP Enrollment Profile
39 lookup-api.apple.com Dictionary.app
40 commnat-cohort.ess.apple.com 16386 gamed
41 commnat-main.ess.apple.com 16384:16385 gamed
42 cp7vi.apple.com GameKit.framework
43 df6ed.apple.com GameKit.framework
44 gz8rm.apple.com GameKit.framework
45 init.gc.apple.com GameKit.framework
46 link.gc.apple.com GameKit.framework
47 static.gc.apple.com GameKit.framework
48 z2r0y.apple.com GameKit.framework
49 gsp-ssl.ls.apple.com 443 GeoServices.framework
50 gsp1.apple.com 80 GeoServices.framework
51 gsp17-2-ssl.apple.com GeoServices.framework
52 gsp17-ssl.apple.com GeoServices.framework
53 gspa21.ls.apple.com GeoServices.framework
54 gspa35-ssl.ls.apple.com 443 GeoServices.framework
55 gspe1-ssl.ls.apple.com 443 GeoServices.framework
56 gspe21.ls.apple.com 80 GeoServices.framework
57 gspe35-ssl.ls.apple.com 443 GeoServices.framework
58 help.apple.com HelpData.framework
59 helposx.apple.com HelpData.framework
60 helpqt.apple.com HelpData.framework
61 support.apple.com HelpData.framework
62 redcarpet.apple.com HelpViewer.app
63 iadsdk.apple.com iAdCore.framework
64 userpub.itunes.apple.com iBooks.app
65 vocabulary.itunes.apple.com iBooks.app
66 init-p01md.apple.com IMFoundation.framework
67 init.ess.apple.com IMFoundation.framework
68 bugreport.apple.com IMLoggingAgent
69 gil.apple.com InternetAccounts.framework
70 gs.apple.com 80:443 iOS update server
71 gg*.apple.com 80:443 iOS update servers
72 m3.mac.com ISSupport.framework
73 deimos3.apple.com 443 iTunes Store
74 phobos.apple.com 443 iTunes Store
75 cl-dev.apple.com locationd
76 cl2.apple.com locationd
77 cl3.apple.com locationd
78 gs-loc.apple.com locationd
79 gsp10-ssl.apple.com locationd
80 gsp9-ssl.apple.com locationd
81 iphone-ld.apple.com locationd
82 play.itunes.apple.com 443 locationd
83 lookup-api.apple.com Lookup.framework
84 feedback.apple.com Mail.app
85 mac-services.apple.com MailCore.framework
86 mesu.apple.com 443 Main Entry Software Update server
87 icalserver.apple.com ManagedClient.app
88 manifest2.inn.rdca.ls.apple.com Maps.app
89 mdmenrollment.apple.com 443 MDM / DEP
90 hello.connectivity.me.com mDNSResponder
91 appleconnect.apple.com MobileDevice.framework
92 albert.apple.com 443 OS X / iOS Activation Server
93 idisk.mac.com OSServices.framework
94 smp-device-content.apple.com 443 PassKitCore.framework
95 ink.apple.com Print.framework
96 qtsoftware.apple.com QuickTime.framework
97 quicktimepro.apple.com QuickTime.framework
98 qtpartners.apple.com RTCReporting.framework
99 extensions.apple.com Safari.framework
100 plugins.apple.com Safari.framework
101 public.me.com ScreenReader.framework
102 photocast.me.com ScreenSaver.framework
103 fdereg.apple.com Security.framework
104 timestamp.apple.com Security.framework
105 littlebuddy.apple.com Setup Assistant.app
106 static.ips.apple.com Social.framework
107 swcdnlocator.apple.com SoftwareUpdate.framework
108 swscan.apple.com SoftwareUpdate.framework
109 p33-buy.itunes.apple.com 443 storeaccountd via CommerceKit.TransactionService.xpc
110 buy.itunes.apple.com 443 storeassetd
111 su.itunes.apple.com 443 storeassetd
112 osxapps.itunes.apple.com 80 storedownloadd
113 p24-buy-itunes.apple.com 443 storedownloadd
114 radarsubmissions.apple.com SubmitDiagInfo
115 depot.info.apple.com System Information.app
116 gnf-mdn.apple.com 443 Touchbar Install?
117 gnf-mr.apple.com 443 Touchbar Install?
118 ig.apple.com 443 Touchbar Install?
119 skl.apple.com 443 Touchbar Install?
120 gallery.me.com WebCore.framework
121 idisk.me.com webdav_fs.kext
122 iphone-wu.apple.com WidgetResources
123 wu-charts.apple.com WidgetResources
124 wu-converter.apple.com WidgetResources
125 wu-quotes.apple.com WidgetResources
126 wu-stocks.apple.com WidgetResources
127 wu.apple.com WidgetResources
128 api-glb-fra.smoot.apple.com 443
129 api.smoot.apple.com 443
130 crl.apple.com
131 deploy.apple.com 443
132 iforgot.apple.com
133 maps.apple.com
134 pancake.apple.com 443
135 pd-nk.itunes.apple.com 443
136 swcdn.apple.com 443
137 swdownload.apple.com 443
138 swquery.apple.com 443
139 xp.apple.com 443
140 api.push.apple.com 2197:443 Push notification live sending server
141 gateway.push.apple.com 2195:2196 Push notification receive gateway
142 1-courier.push.apple.com 5223:443 Push notification server
143 2-courier.push.apple.com 5223:443 Push notification server
144 3-courier.push.apple.com 5223:443 Push notification server
145 4-courier.push.apple.com 5223:443 Push notification server
146 5-courier.push.apple.com 5223:443 Push notification server
147 6-courier.push.apple.com 5223:443 Push notification server
148 7-courier.push.apple.com 5223:443 Push notification server
149 8-courier.push.apple.com 5223:443 Push notification server
150 9-courier.push.apple.com 5223:443 Push notification server
151 10-courier.push.apple.com 5223:443 Push notification server
152 11-courier.push.apple.com 5223:443 Push notification server
153 12-courier.push.apple.com 5223:443 Push notification server
154 13-courier.push.apple.com 5223:443 Push notification server
155 14-courier.push.apple.com 5223:443 Push notification server
156 15-courier.push.apple.com 5223:443 Push notification server
157 16-courier.push.apple.com 5223:443 Push notification server
158 17-courier.push.apple.com 5223:443 Push notification server
159 18-courier.push.apple.com 5223:443 Push notification server
160 19-courier.push.apple.com 5223:443 Push notification server
161 20-courier.push.apple.com 5223:443 Push notification server
162 21-courier.push.apple.com 5223:443 Push notification server
163 22-courier.push.apple.com 5223:443 Push notification server
164 23-courier.push.apple.com 5223:443 Push notification server
165 24-courier.push.apple.com 5223:443 Push notification server
166 25-courier.push.apple.com 5223:443 Push notification server
167 26-courier.push.apple.com 5223:443 Push notification server
168 27-courier.push.apple.com 5223:443 Push notification server
169 28-courier.push.apple.com 5223:443 Push notification server
170 29-courier.push.apple.com 5223:443 Push notification server
171 30-courier.push.apple.com 5223:443 Push notification server
172 31-courier.push.apple.com 5223:443 Push notification server
173 32-courier.push.apple.com 5223:443 Push notification server
174 33-courier.push.apple.com 5223:443 Push notification server
175 34-courier.push.apple.com 5223:443 Push notification server
176 35-courier.push.apple.com 5223:443 Push notification server
177 36-courier.push.apple.com 5223:443 Push notification server
178 37-courier.push.apple.com 5223:443 Push notification server
179 38-courier.push.apple.com 5223:443 Push notification server
180 39-courier.push.apple.com 5223:443 Push notification server
181 40-courier.push.apple.com 5223:443 Push notification server
182 41-courier.push.apple.com 5223:443 Push notification server
183 42-courier.push.apple.com 5223:443 Push notification server
184 43-courier.push.apple.com 5223:443 Push notification server
185 44-courier.push.apple.com 5223:443 Push notification server
186 45-courier.push.apple.com 5223:443 Push notification server
187 46-courier.push.apple.com 5223:443 Push notification server
188 47-courier.push.apple.com 5223:443 Push notification server
189 48-courier.push.apple.com 5223:443 Push notification server
190 49-courier.push.apple.com 5223:443 Push notification server
191 50-courier.push.apple.com 5223:443 Push notification server
192 api.development.push.apple.com 2197:443 Push notification test sending server
193 gateway.sandbox.push.apple.com 2195:2196 Push notification test receive gateway
194 1-courier.sandbox.push.apple.com 5223:443 Push notification test server
195 2-courier.sandbox.push.apple.com 5223:443 Push notification test server
196 3-courier.sandbox.push.apple.com 5223:443 Push notification test server
197 4-courier.sandbox.push.apple.com 5223:443 Push notification test server
198 5-courier.sandbox.push.apple.com 5223:443 Push notification test server
199 6-courier.sandbox.push.apple.com 5223:443 Push notification test server
200 7-courier.sandbox.push.apple.com 5223:443 Push notification test server
201 8-courier.sandbox.push.apple.com 5223:443 Push notification test server
202 9-courier.sandbox.push.apple.com 5223:443 Push notification test server
203 10-courier.sandbox.push.apple.com 5223:443 Push notification test server
204 11-courier.sandbox.push.apple.com 5223:443 Push notification test server
205 12-courier.sandbox.push.apple.com 5223:443 Push notification test server
206 13-courier.sandbox.push.apple.com 5223:443 Push notification test server
207 14-courier.sandbox.push.apple.com 5223:443 Push notification test server
208 15-courier.sandbox.push.apple.com 5223:443 Push notification test server
209 16-courier.sandbox.push.apple.com 5223:443 Push notification test server
210 17-courier.sandbox.push.apple.com 5223:443 Push notification test server
211 18-courier.sandbox.push.apple.com 5223:443 Push notification test server
212 19-courier.sandbox.push.apple.com 5223:443 Push notification test server
213 20-courier.sandbox.push.apple.com 5223:443 Push notification test server
214 21-courier.sandbox.push.apple.com 5223:443 Push notification test server
215 22-courier.sandbox.push.apple.com 5223:443 Push notification test server
216 23-courier.sandbox.push.apple.com 5223:443 Push notification test server
217 24-courier.sandbox.push.apple.com 5223:443 Push notification test server
218 25-courier.sandbox.push.apple.com 5223:443 Push notification test server
219 26-courier.sandbox.push.apple.com 5223:443 Push notification test server
220 27-courier.sandbox.push.apple.com 5223:443 Push notification test server
221 28-courier.sandbox.push.apple.com 5223:443 Push notification test server
222 29-courier.sandbox.push.apple.com 5223:443 Push notification test server
223 30-courier.sandbox.push.apple.com 5223:443 Push notification test server
224 31-courier.sandbox.push.apple.com 5223:443 Push notification test server
225 32-courier.sandbox.push.apple.com 5223:443 Push notification test server
226 33-courier.sandbox.push.apple.com 5223:443 Push notification test server
227 34-courier.sandbox.push.apple.com 5223:443 Push notification test server
228 35-courier.sandbox.push.apple.com 5223:443 Push notification test server
229 36-courier.sandbox.push.apple.com 5223:443 Push notification test server
230 37-courier.sandbox.push.apple.com 5223:443 Push notification test server
231 38-courier.sandbox.push.apple.com 5223:443 Push notification test server
232 39-courier.sandbox.push.apple.com 5223:443 Push notification test server
233 40-courier.sandbox.push.apple.com 5223:443 Push notification test server
234 41-courier.sandbox.push.apple.com 5223:443 Push notification test server
235 42-courier.sandbox.push.apple.com 5223:443 Push notification test server
236 43-courier.sandbox.push.apple.com 5223:443 Push notification test server
237 44-courier.sandbox.push.apple.com 5223:443 Push notification test server
238 45-courier.sandbox.push.apple.com 5223:443 Push notification test server
239 46-courier.sandbox.push.apple.com 5223:443 Push notification test server
240 47-courier.sandbox.push.apple.com 5223:443 Push notification test server
241 48-courier.sandbox.push.apple.com 5223:443 Push notification test server
242 49-courier.sandbox.push.apple.com 5223:443 Push notification test server
243 50-courier.sandbox.push.apple.com 5223:443 Push notification test server

 

*.thawte.com 80 Apple CA OCSP validation
*.geotrust.com 80 Apple CA OCSP validation
*.ws.symantec.com 80 Apple CA OCSP validation
*.symcb.com 80 Apple CA OCSP validation
*.symcd.com 80 Apple CA OCSP validation
EV-Intl-ocsp.verisign.com 80 Apple CA OCSP validation
EVSecure-ocsp.verisign.com 80 Apple CA OCSP validation

10th September 2016 Edit:

Jason “zoocoup” Broccado has pointed out an interesting one to me. aaplimg.com

Now this resolves to three distinct Apple IP addresses. 17.178.96.39, 17.172.224.28 and 17.142.160.39 . Where things get interesting is if you run the following command from a macOS terminal window. You can use any of the IP’s just mentioned, as you’ll get the same result.

  • host 17.178.96.39

You now end up with a list of a lot of Apple related domain names, most of which look like the kind of thing cybersquatters would have. A random example from this list is “lojaiphone.com.br”.

All of these redirect to apple.com main page or elsewhere. Cleverly some of these target specific parts of Apple’s main web page. Clever.

I wish I knew more about DNS than I currently do.

12th September 2016:

Found an interesting GitHub called “osxparanoia” thanks to investigating @carlashleyphoto ‘s twitter tip off. I’ll be incorporating the info (minus existing and non responsive addresses) there into the list.

25th September 2016:

A lot of the addresses didn’t have valid DNS names anymore (esp. APNS stuff) so they’ve been trimmed out.

28th September 2016:

I installed Little Snitch as a demo on my laptop and make careful note of extra addresses I didn’t have before 😉

30th September 2016:

Jason “zoocoup” Broccado has kindly found another server address while investigating all the Caching server issues going on at the moment.

28th November 2016:

Updates to courier address information plus updates OCSP certificate checking servers.

1st April 2017:

Ben “macmule” Toms provided a suspicious looking link on April Fool’s Day (using my own suspicions against me? Nicely done sir!) and found Apple requires certain addresses to support the new Touchbar Macs.

28th April 2017:

Cyril Niklaus provided some extra addresses today to do with software updates.

30th May 2017:

I’ve been investigating App Store connectivity and found a few interesting addresses being used. I also added in all the sandbox APNS addresses.

7th July 2017:

Brad Chapman on the Macadmins Slack instance tipped me off about the existence of two further addresses for APNS, which are used before the main courier addresses are contacted. I had them in the list but didn’t know what they were. Their descriptions have been updated.