SSL Inspection Error with Apple websites

Question

Hello, I am running SFOS 19.5.4 and I noticed that I cannot get to any secure apple.com website since the last update. I try to go to apple business manager (business.apple.com) and it will just spin and eventually time out. I also tried to purchase a device through apple.com and it time out when I attempt to go to the cart. In the SSL/TLS inspection logs there is always an error for any *.apple.com domain saying "Server did not respond to client hello". I tried adding exceptions for apple domains in Web/Exceptions and under the "Local TLS exclusion list", but no change. I am only having issues with apple websites so far, but since I use apple business manager for iPad management it is pretty important to get this fixed. I tested off network on a hotspot just to make sure it was the firewall blocking it. 
 Any suggestions?

rfcat_vk · Answer

Hi, 
 Apple sites do not like being inspected and will fail to download. 
 Ian

Vivek Jagad · Answer

Hi Corey Carpenter ,

Thank you for reaching out to the community, you can add the exception under the Web and add the following regex:
^([A-Za-z0-9.-]*\.)?itunes\.apple\.com/
^([A-Za-z0-9.-]*\.)?ax\.itunes\.apple\.com/
^([A-Za-z0-9.-]*\.)?albert\.apple\.com/
^([A-Za-z0-9.-]*\.)?gs\.apple\.com/
^([A-Za-z0-9.-]*\.)?business\.apple\.com/
^([A-Za-z0-9.-]*\.)?apple\.com/
^([A-Za-z0-9.-]*\.)?albert\.apple\.com/
^([A-Za-z0-9.-]*\.)?captive\.apple\.com/
^([A-Za-z0-9.-]*\.)?humb\.apple\.com/
^([A-Za-z0-9.-]*\.)?static\.ips\.apple\.com/
^([A-Za-z0-9.-]*\.)?sq-device\.apple\.com/
^([A-Za-z0-9.-]*\.)?tbsc\.apple\.com/
^([A-Za-z0-9.-]*\.)?time-ios\.apple\.com/
^([A-Za-z0-9.-]*\.)?time\.apple\.com/
^([A-Za-z0-9.-]*\.)?time-macos\.apple\.com/
^([A-Za-z0-9.-]*\.)?push\.apple\.com/
^([A-Za-z0-9.-]*\.)?deviceenrollment\.apple\.com/
^([A-Za-z0-9.-]*\.)?deviceservices-external\.apple\.com/
^([A-Za-z0-9.-]*\.)?gdmf\.apple\.com/
^([A-Za-z0-9.-]*\.)?identity\.apple\.com/
^([A-Za-z0-9.-]*\.)?iprofiles\.apple\.com/
^([A-Za-z0-9.-]*\.)?mdmenrollment\.apple\.com/
^([A-Za-z0-9.-]*\.)?setup\.icloud\.com/
^([A-Za-z0-9.-]*\.)?vpp\.itunes\.apple\.com/
^([A-Za-z0-9.-]*\.)?appattest\.apple\.com/
^([A-Za-z0-9.-]*\.)?business\.apple\.com/
^([A-Za-z0-9.-]*\.)?school\.apple\.com/
^([A-Za-z0-9.-]*\.)?appleid\.cdn-apple\.com/
^([A-Za-z0-9.-]*\.)?idmsa\.apple\.com/
^([A-Za-z0-9.-]*\.)?itunes\.apple\.com/
^([A-Za-z0-9.-]*\.)?mzstatic\.com/
^([A-Za-z0-9.-]*\.)?api\.ent\.apple\.com/
^([A-Za-z0-9.-]*\.)?api\.edu\.apple\.com/
^([A-Za-z0-9.-]*\.)?statici\.icloud\.com/
^([A-Za-z0-9.-]*\.)?vertexsmb\.com/
^([A-Za-z0-9.-]*\.)?www\.apple\.com/
^([A-Za-z0-9.-]*\.)?upload\.appleschoolcontent\.com/
^([A-Za-z0-9.-]*\.)?ws-ee-maidsvc\.icloud\.com/
^([A-Za-z0-9.-]*\.)?axm-adm-mdm\.apple\.com/
^([A-Za-z0-9.-]*\.)?axm-adm-enroll\.apple\.com/
^([A-Za-z0-9.-]*\.)?axm-adm-scep\.apple\.com/
^([A-Za-z0-9.-]*\.)?axm-app\.apple\.com/
^([A-Za-z0-9.-]*\.)?apple-mapkit\.com/
^([A-Za-z0-9.-]*\.)?icons\.axm-usercontent-apple\.com/

For more you can check the KBA - Use Apple products on enterprise networks - Apple Support (IN)

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.

SSL Inspection Error with Apple websites

Top Replies