Jamf Nation Community

MehdiYawari · ‎06-13-2023

Hello everyone

We have this problem that no macOS software update is available/visible in system preferences when the mac client is connected to corprorate network.

if I want to download a macOS InstallAssistent.pkg directly from Apple (like this: https://swcdn.apple.com/content/downloads/63/49/032-84910A_3SSTBN1HDA/h89vitwfbzt54jcbwpfwkmrn12smed.... Then it works without any problem.

But Software Update arent visible/available in system preferences.

When Connected to Internet directly (No Corprate network), the updates are then available in system preferences.

AFAIK, there is no firewall rule blocking the connection. And yes we have also a proxy that could be causing this problem.
The proxy-team claims that Apple servers are already listed in Allowlist and the proxy cant be a problem, as the download of a macOS package works.
Does anyone have any idea how to narrow down this problem? What am I missing?

obi-k · ‎06-13-2023

Do you get an NS Curl 1002 error or something?

Open Terminal, type: softwareupdate -l

What do you get?

Go back to your security team. Give them an IP to one of your Mac clients. Point this client to a specific proxy server in your corporate network. Duplicate the issue by checking for software updates. Open the App Store. Have them follow the traffic.

See if these 2 lists might help:

*.mzstatic.com
*.apple.com
*.itunes.com
*.icloud.com

Use Apple products on enterprise networks

https://support.apple.com/en-us/HT210060

MehdiYawari · ‎06-15-2023

I get not error when running softwareupdate --list
only the output that no Updates can be found, although there should be.
Thanks for the link

danlaw777 · ‎06-13-2023

If they're not showing when you're on your corporate network, but they're available everywhere else, you need to sit down and have a long talk with your network/security team. Have them run a wire shark trace and see where its getting blocked. When you hit the "check for updates" button on your mac, it'll go out and look, wire shark will be able to tell you where, or who, is blocking the the service

sdagley · ‎06-13-2023

@MehdiYawari make sure your proxy/security team are aware of Apple's https://support.apple.com/en-us/HT210060 KB article that @obi-k references. It details the different servers that are needed to support Apple devices on an Enterprise network, and whether or not that can be proxied (you'll also want to make sure they're not subject to SSL inspection)

AJPinto · ‎06-13-2023

I recommend reaching out to your network engineers, and referencing Apples enterprise network guide to make sure everything is open. Apple will fail traffic that goes through SSL inspection and this is probably what is going on.

Apple makes a tool they host on AppleSeed called Mac Evaluation Utility. You can run that tool and it will tell you what network traffic is not working correctly.

pete_c · ‎06-14-2023

If your deployment still relies on x86-native software, you could have issues reliably installing Rosetta.

MehdiYawari · ‎06-15-2023

Yes I just need more information to narrow this down and understand better what is going on?
I am using Mac Evaluation Utility tool and here is the difference.
Mac connected to Internet:

Mac connected to Corporte Network:

It clarifies that mac isnt able to connect to certain Apple Domains.
Here is my other test result:
software -l: No new software update available.
softwareupdate --fetch-full-installer --full-installer-version 12.6.6: Starts to download the macOS update.
softwareupdate --list-full-installer: List all macOS available for this test mac.
But I dont yet unterstand the whole topic with SSL inspection and https interception.
Do you have some info(maybe a link from apple) this regards?

MehdiYawari · ‎06-15-2023

The last column of the list of enterprise network guide says either a apple domain support proxy or not:
Was does this actually means?

AJPinto · ‎06-15-2023

SSL Inspection and Redirection means some tool is opening apples traffic and going through things before it gets to the device. This is likely a network security tool, but could also be a malicious actor. Apple will fail all traffic that has been tampered with. You need to work which whatever team controls your network filters and get a bypass put in for apples update server.

Think of it was someone opening your mail and reading the contents before it gets to you. If the envelope contained critical instructions, would you trust instructions were not tampered with if the envelope was opened when you got it?

MehdiYawari · ‎06-16-2023

Thanks alot
This explain why some updates are available and some not. As they might be getting dropped by this SSL inception.

MehdiYawari · ‎06-29-2023

Sorry für the late response. Just got a feedback from our proxy team.
I used the mac evaluation utility and found that gdmf.apple.com is blocked by the proxy, although apple domains are not blocked (no ssl intercepted) by our proxy.
We found out that gdmf.apple.com has no trusted issuer (cert-untrusted_issuer,)and is blocked by proxy.
Now I need to ask the security team if they can allow to exclude this domain from proxy.

Jamf Nation Community

Software Update not available in corporate network

Use Apple products on enterprise networks