Apple 17.0.0.0/8 Services

3rd September 2018: I keep this blog post as a historical document. Over the last two years it’s become more and more apparent that the “whack-a-mole” approach is more work than it’s worth. There’s a variety of new Apple URL’s appearing all the time and the maintenance work simply isn’t worth it.

My recommendation is to allow *.apple.com URL free passage to/from your network on 80 and 443. In particular it has to be the URL and I’ve other posts that explain why.

One of the tasks i’ve been working on is mapping a set of firewall rules to allow various Apple services to work within the confines a secure network environment. Apple’s recommended guidelines for enabling APNS to work in a corporate environment can be found here:

https://support.apple.com/en-us/HT203609

Let’s see, there’s some ports .. ok. The ENTIRE 17.x address range?

Now while i’m sure a lot of places would be ok with this (one of my former employers certainly was), there are some places rather more security conscious who are not. Of course things also get complicated when you look at the addresses systems like APNS are using and you find they’re merely CNAMES for other servers on the internet. You can quite easily find yourself being load balanced from servers that Akamai is hosting when you think you’re talking to Apple.

What this means is that I’m no longer happy with just having a range of IP addresses whitelisted on a corporate firewall. That led to to trying to track down exactly what addresses Apple has publicly exposed on their address range. Now some of this is original research but a lot is taken from areas such as iOS jailbreaking websites (which I do not condone myself) and an interesting q+a section from F5 Networks DevCentral where someone wrote a very basic APNS proxy.

Now while i’m not happy with whitelisting an entire address block, I am less happy again with the amount of addresses I found. I’ll list those below but before you get there, APNS alone has two gateway addresses and a further 200 50 (!) “courier” addresses all of which can point outside of Apple’s address range. (Changed to 50 as I found that addresses above that don’t respond to pings, but 1-50 do.)

Below is the list i’ve so far managed to compile. You have names, ports and probable uses. If anyone has more accurate information on any of this, I want to know and I can be contacted in the usual places.

No DNS Ports Used Used For
1 appleid.apple.com Accounts.prefPane
2 contacts.icloud.com AddressBook.framework
3 apsu.apple.com AirPort Utility.app
4 gsas.apple.com 443 akd
5 icloud.com AOSKit.framework
6 me.com AOSKit.framework
7 setup.icloud.com AOSKit.framework
8 fmip.me.com AOSNotification.framework
9 *.itunes.apple.com App Store
10 itunes.apple.com App Store
11 metrics.apple.com App Store.app
12 idmsa.apple.com Apple ID authentication?
13 identity.apple.com AppleIDAuthAgent
14 iphonediags.apple.com AppleMobileDeviceHelper.app
15 iphonesubmissions.apple.com AppleMobileDeviceHelper.app
16 init-p01st.push.apple.com APNS Client Initialisation Server
17 init-s01st.push.apple.com APNS Client Initialisation Server (sandbox)
18 lcdn-locator.apple.com 443 Asset Cache Locator Service
19 guzzoni.apple.com AssistantServices.framework
20 gsa.apple.com 443 AuthKit framework
21 lcdn-registration.apple.com Caching Server Registration
22 wu-calculator.apple.com Calculator.app
23 caldav.icloud.com CalendarPersistence.framework
24 ical.mac.com CalendarPersistence.framework
25 attwifi.apple.com CaptiveNetworkSupport
26 captive.apple.com 80 CaptiveNetworkSupport
27 suconfig.apple.com 443 cloudconfigurationd
28 configuration.apple.com 443 CloudKit / keyboardservicesd / GeoLocation / Photos Agent
29 ax.init.itunes.apple.com CommerceKit.framework
30 init.itunes.apple.com CommerceKit.framework
31 sandbox.itunes.apple.com CommerceKit.framework
32 su-itunes.apple.com 443 CommerceKit.framework
33 trackingshipment.apple.com DataDetectors.framework
34 acc-ipt.apple.com DEP API Sign up
35 api-applecareconnect-ept.apple.com DEP API UAT
36 api-applecareconnect-ept2.apple.com DEP API UAT
37 appleconnect.apple.com 443 DEP API Website
38 iprofiles.apple.com 443 DEP Enrollment Profile
39 lookup-api.apple.com Dictionary.app
40 commnat-cohort.ess.apple.com 16386 gamed
41 commnat-main.ess.apple.com 16384:16385 gamed
42 cp7vi.apple.com GameKit.framework
43 df6ed.apple.com GameKit.framework
44 gz8rm.apple.com GameKit.framework
45 init.gc.apple.com GameKit.framework
46 link.gc.apple.com GameKit.framework
47 static.gc.apple.com GameKit.framework
48 z2r0y.apple.com GameKit.framework
49 gsp-ssl.ls.apple.com 443 GeoServices.framework
50 gsp1.apple.com 80 GeoServices.framework
51 gsp17-2-ssl.apple.com GeoServices.framework
52 gsp17-ssl.apple.com GeoServices.framework
53 gspa21.ls.apple.com GeoServices.framework
54 gspa35-ssl.ls.apple.com 443 GeoServices.framework
55 gspe1-ssl.ls.apple.com 443 GeoServices.framework
56 gspe21.ls.apple.com 80 GeoServices.framework
57 gspe35-ssl.ls.apple.com 443 GeoServices.framework
58 help.apple.com HelpData.framework
59 helposx.apple.com HelpData.framework
60 helpqt.apple.com HelpData.framework
61 support.apple.com HelpData.framework
62 redcarpet.apple.com HelpViewer.app
63 iadsdk.apple.com iAdCore.framework
64 userpub.itunes.apple.com iBooks.app
65 vocabulary.itunes.apple.com iBooks.app
66 init-p01md.apple.com IMFoundation.framework
67 init.ess.apple.com IMFoundation.framework
68 bugreport.apple.com IMLoggingAgent
69 gil.apple.com InternetAccounts.framework
70 gs.apple.com 80:443 iOS update server
71 gg*.apple.com 80:443 iOS update servers
72 m3.mac.com ISSupport.framework
73 deimos3.apple.com 443 iTunes Store
74 phobos.apple.com 443 iTunes Store
75 cl-dev.apple.com locationd
76 cl2.apple.com locationd
77 cl3.apple.com locationd
78 gs-loc.apple.com locationd
79 gsp10-ssl.apple.com locationd
80 gsp9-ssl.apple.com locationd
81 iphone-ld.apple.com locationd
82 play.itunes.apple.com 443 locationd
83 lookup-api.apple.com Lookup.framework
84 feedback.apple.com Mail.app
85 mac-services.apple.com MailCore.framework
86 mesu.apple.com 443 Main Entry Software Update server
87 icalserver.apple.com ManagedClient.app
88 manifest2.inn.rdca.ls.apple.com Maps.app
89 mdmenrollment.apple.com 443 MDM / DEP
90 hello.connectivity.me.com mDNSResponder
91 appleconnect.apple.com MobileDevice.framework
92 albert.apple.com 443 OS X / iOS Activation Server
93 idisk.mac.com OSServices.framework
94 smp-device-content.apple.com 443 PassKitCore.framework
95 ink.apple.com Print.framework
96 qtsoftware.apple.com QuickTime.framework
97 quicktimepro.apple.com QuickTime.framework
98 qtpartners.apple.com RTCReporting.framework
99 extensions.apple.com Safari.framework
100 plugins.apple.com Safari.framework
101 public.me.com ScreenReader.framework
102 photocast.me.com ScreenSaver.framework
103 fdereg.apple.com Security.framework
104 timestamp.apple.com Security.framework
105 littlebuddy.apple.com Setup Assistant.app
106 static.ips.apple.com Social.framework
107 swcdnlocator.apple.com SoftwareUpdate.framework
108 swscan.apple.com SoftwareUpdate.framework
109 gdmf.apple.com iOS Software Lookup Service
110 p33-buy.itunes.apple.com 443 storeaccountd via CommerceKit.TransactionService.xpc
111 buy.itunes.apple.com 443 storeassetd
112 su.itunes.apple.com 443 storeassetd
113 osxapps.itunes.apple.com 80 storedownloadd
114 p24-buy-itunes.apple.com 443 storedownloadd
115 radarsubmissions.apple.com SubmitDiagInfo
116 depot.info.apple.com System Information.app
117 gnf-mdn.apple.com 443 Touchbar Install?
118 gnf-mr.apple.com 443 Touchbar Install?
119 ig.apple.com 443 Touchbar Install?
120 skl.apple.com 443 Touchbar Install?
121 gallery.me.com WebCore.framework
122 idisk.me.com webdav_fs.kext
123 iphone-wu.apple.com WidgetResources
124 wu-charts.apple.com WidgetResources
125 wu-converter.apple.com WidgetResources
126 wu-quotes.apple.com WidgetResources
127 wu-stocks.apple.com WidgetResources
128 wu.apple.com WidgetResources
129 api-glb-fra.smoot.apple.com 443
130 api.smoot.apple.com 443
131 crl.apple.com
132 deploy.apple.com 443
133 iforgot.apple.com
134 maps.apple.com
135 pancake.apple.com 443
136 pd-nk.itunes.apple.com 443
137 swcdn.apple.com 443
138 swdownload.apple.com 443
139 swquery.apple.com 443
140 xp.apple.com 443
141 api.push.apple.com 2197:443 Push notification live sending server
142 gateway.push.apple.com 2195:2196 Push notification receive gateway
143 1-courier.push.apple.com 5223:443 Push notification server
144 2-courier.push.apple.com 5223:443 Push notification server
145 3-courier.push.apple.com 5223:443 Push notification server
146 4-courier.push.apple.com 5223:443 Push notification server
147 5-courier.push.apple.com 5223:443 Push notification server
148 6-courier.push.apple.com 5223:443 Push notification server
149 7-courier.push.apple.com 5223:443 Push notification server
150 8-courier.push.apple.com 5223:443 Push notification server
151 9-courier.push.apple.com 5223:443 Push notification server
152 10-courier.push.apple.com 5223:443 Push notification server
153 11-courier.push.apple.com 5223:443 Push notification server
154 12-courier.push.apple.com 5223:443 Push notification server
155 13-courier.push.apple.com 5223:443 Push notification server
156 14-courier.push.apple.com 5223:443 Push notification server
157 15-courier.push.apple.com 5223:443 Push notification server
158 16-courier.push.apple.com 5223:443 Push notification server
159 17-courier.push.apple.com 5223:443 Push notification server
160 18-courier.push.apple.com 5223:443 Push notification server
161 19-courier.push.apple.com 5223:443 Push notification server
162 20-courier.push.apple.com 5223:443 Push notification server
163 21-courier.push.apple.com 5223:443 Push notification server
164 22-courier.push.apple.com 5223:443 Push notification server
165 23-courier.push.apple.com 5223:443 Push notification server
166 24-courier.push.apple.com 5223:443 Push notification server
167 25-courier.push.apple.com 5223:443 Push notification server
168 26-courier.push.apple.com 5223:443 Push notification server
169 27-courier.push.apple.com 5223:443 Push notification server
170 28-courier.push.apple.com 5223:443 Push notification server
171 29-courier.push.apple.com 5223:443 Push notification server
172 30-courier.push.apple.com 5223:443 Push notification server
173 31-courier.push.apple.com 5223:443 Push notification server
174 32-courier.push.apple.com 5223:443 Push notification server
175 33-courier.push.apple.com 5223:443 Push notification server
176 34-courier.push.apple.com 5223:443 Push notification server
177 35-courier.push.apple.com 5223:443 Push notification server
178 36-courier.push.apple.com 5223:443 Push notification server
179 37-courier.push.apple.com 5223:443 Push notification server
180 38-courier.push.apple.com 5223:443 Push notification server
181 39-courier.push.apple.com 5223:443 Push notification server
182 40-courier.push.apple.com 5223:443 Push notification server
183 41-courier.push.apple.com 5223:443 Push notification server
184 42-courier.push.apple.com 5223:443 Push notification server
185 43-courier.push.apple.com 5223:443 Push notification server
186 44-courier.push.apple.com 5223:443 Push notification server
187 45-courier.push.apple.com 5223:443 Push notification server
188 46-courier.push.apple.com 5223:443 Push notification server
189 47-courier.push.apple.com 5223:443 Push notification server
190 48-courier.push.apple.com 5223:443 Push notification server
191 49-courier.push.apple.com 5223:443 Push notification server
192 50-courier.push.apple.com 5223:443 Push notification server
193 api.development.push.apple.com 2197:443 Push notification test sending server
194 gateway.sandbox.push.apple.com 2195:2196 Push notification test receive gateway
195 1-courier.sandbox.push.apple.com 5223:443 Push notification test server
196 2-courier.sandbox.push.apple.com 5223:443 Push notification test server
197 3-courier.sandbox.push.apple.com 5223:443 Push notification test server
198 4-courier.sandbox.push.apple.com 5223:443 Push notification test server
199 5-courier.sandbox.push.apple.com 5223:443 Push notification test server
200 6-courier.sandbox.push.apple.com 5223:443 Push notification test server
201 7-courier.sandbox.push.apple.com 5223:443 Push notification test server
202 8-courier.sandbox.push.apple.com 5223:443 Push notification test server
203 9-courier.sandbox.push.apple.com 5223:443 Push notification test server
204 10-courier.sandbox.push.apple.com 5223:443 Push notification test server
205 11-courier.sandbox.push.apple.com 5223:443 Push notification test server
206 12-courier.sandbox.push.apple.com 5223:443 Push notification test server
207 13-courier.sandbox.push.apple.com 5223:443 Push notification test server
208 14-courier.sandbox.push.apple.com 5223:443 Push notification test server
209 15-courier.sandbox.push.apple.com 5223:443 Push notification test server
210 16-courier.sandbox.push.apple.com 5223:443 Push notification test server
211 17-courier.sandbox.push.apple.com 5223:443 Push notification test server
212 18-courier.sandbox.push.apple.com 5223:443 Push notification test server
213 19-courier.sandbox.push.apple.com 5223:443 Push notification test server
214 20-courier.sandbox.push.apple.com 5223:443 Push notification test server
215 21-courier.sandbox.push.apple.com 5223:443 Push notification test server
216 22-courier.sandbox.push.apple.com 5223:443 Push notification test server
217 23-courier.sandbox.push.apple.com 5223:443 Push notification test server
218 24-courier.sandbox.push.apple.com 5223:443 Push notification test server
219 25-courier.sandbox.push.apple.com 5223:443 Push notification test server
220 26-courier.sandbox.push.apple.com 5223:443 Push notification test server
221 27-courier.sandbox.push.apple.com 5223:443 Push notification test server
222 28-courier.sandbox.push.apple.com 5223:443 Push notification test server
223 29-courier.sandbox.push.apple.com 5223:443 Push notification test server
224 30-courier.sandbox.push.apple.com 5223:443 Push notification test server
225 31-courier.sandbox.push.apple.com 5223:443 Push notification test server
226 32-courier.sandbox.push.apple.com 5223:443 Push notification test server
227 33-courier.sandbox.push.apple.com 5223:443 Push notification test server
228 34-courier.sandbox.push.apple.com 5223:443 Push notification test server
229 35-courier.sandbox.push.apple.com 5223:443 Push notification test server
230 36-courier.sandbox.push.apple.com 5223:443 Push notification test server
231 37-courier.sandbox.push.apple.com 5223:443 Push notification test server
232 38-courier.sandbox.push.apple.com 5223:443 Push notification test server
233 39-courier.sandbox.push.apple.com 5223:443 Push notification test server
234 40-courier.sandbox.push.apple.com 5223:443 Push notification test server
235 41-courier.sandbox.push.apple.com 5223:443 Push notification test server
236 42-courier.sandbox.push.apple.com 5223:443 Push notification test server
237 43-courier.sandbox.push.apple.com 5223:443 Push notification test server
238 44-courier.sandbox.push.apple.com 5223:443 Push notification test server
239 45-courier.sandbox.push.apple.com 5223:443 Push notification test server
240 46-courier.sandbox.push.apple.com 5223:443 Push notification test server
241 47-courier.sandbox.push.apple.com 5223:443 Push notification test server
242 48-courier.sandbox.push.apple.com 5223:443 Push notification test server
243 49-courier.sandbox.push.apple.com 5223:443 Push notification test server
244 50-courier.sandbox.push.apple.com 5223:443 Push notification test server
245 gdmf.apple.com/v2/pmv 443 iOS Update Catalog

 

*.thawte.com 80 Apple CA OCSP validation
*.geotrust.com 80 Apple CA OCSP validation
*.ws.symantec.com 80 Apple CA OCSP validation
*.symcb.com 80 Apple CA OCSP validation
*.symcd.com 80 Apple CA OCSP validation
EV-Intl-ocsp.verisign.com 80 Apple CA OCSP validation
EVSecure-ocsp.verisign.com 80 Apple CA OCSP validation

3rd September 2018 Edit:

Well someone who prefers to be anonymous coward tipped me off about gdmf.apple.com/v2/pmv which appears to be a a list of iOS versions and what devices they’re available for. It’s readily readable through a web browser. There’s a good chance management service tools will require access to this as well.

10th September 2016 Edit:

Jason “zoocoup” Broccado has pointed out an interesting one to me. aaplimg.com

Now this resolves to three distinct Apple IP addresses. 17.178.96.39, 17.172.224.28 and 17.142.160.39 . Where things get interesting is if you run the following command from a macOS terminal window. You can use any of the IP’s just mentioned, as you’ll get the same result.

  • host 17.178.96.39

You now end up with a list of a lot of Apple related domain names, most of which look like the kind of thing cybersquatters would have. A random example from this list is “lojaiphone.com.br”.

All of these redirect to apple.com main page or elsewhere. Cleverly some of these target specific parts of Apple’s main web page. Clever.

I wish I knew more about DNS than I currently do.

12th September 2016:

Found an interesting GitHub called “osxparanoia” thanks to investigating @carlashleyphoto ‘s twitter tip off. I’ll be incorporating the info (minus existing and non responsive addresses) there into the list.

25th September 2016:

A lot of the addresses didn’t have valid DNS names anymore (esp. APNS stuff) so they’ve been trimmed out.

28th September 2016:

I installed Little Snitch as a demo on my laptop and make careful note of extra addresses I didn’t have before 😉

30th September 2016:

Jason “zoocoup” Broccado has kindly found another server address while investigating all the Caching server issues going on at the moment.

28th November 2016:

Updates to courier address information plus updates OCSP certificate checking servers.

1st April 2017:

Ben “macmule” Toms provided a suspicious looking link on April Fool’s Day (using my own suspicions against me? Nicely done sir!) and found Apple requires certain addresses to support the new Touchbar Macs.

28th April 2017:

Cyril Niklaus provided some extra addresses today to do with software updates.

30th May 2017:

I’ve been investigating App Store connectivity and found a few interesting addresses being used. I also added in all the sandbox APNS addresses.

7th July 2017:

Brad Chapman on the Macadmins Slack instance tipped me off about the existence of two further addresses for APNS, which are used before the main courier addresses are contacted. I had them in the list but didn’t know what they were. Their descriptions have been updated.

22nd April 2018: Jason “zoocoup” Broccado tipped me off in the direction of Pepjin Bruienne who discovered this apple link in the MDM spec. https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/ManagedAppsUpdates/ManagedAppsUpdates.html#//apple_ref/doc/uid/TP40017387-CH10-SW44