Help

Software Update not available in corporate network

MehdiYawari
New Contributor III

Posted on ‎06-13-2023 05:04 AM

Hello everyone 

We have this problem that no macOS software update is available/visible in system preferences when the mac client is connected to corprorate network.

if I want to download a macOS InstallAssistent.pkg directly from Apple (like this: https://swcdn.apple.com/content/downloads/63/49/032-84910A_3SSTBN1HDA/h89vitwfbzt54jcbwpfwkmrn12smed.... Then it works without any problem.

But Software Update arent visible/available in system preferences.

When Connected to Internet directly (No Corprate network), the updates are then available in system preferences.

AFAIK, there is no firewall rule blocking the connection. And yes we have also a proxy that could be causing this problem.
The proxy-team claims that Apple servers are already listed in Allowlist and the proxy cant be a problem, as the download of a macOS package works.
Does anyone have any idea how to narrow down this problem? What am I missing? 

0 Kudos
11 REPLIES 11

obi-k
Valued Contributor II

‎06-13-2023 05:30 AM - edited ‎06-13-2023 05:31 AM

Do you get an NS Curl 1002 error or something?

Open Terminal, type: softwareupdate -l

What do you get?

Go back to your security team. Give them an IP to one of your Mac clients. Point this client to a specific proxy server in your corporate network. Duplicate the issue by checking for software updates. Open the App Store. Have them follow the traffic.

See if these 2 lists might help:

*.mzstatic.com
*.apple.com
*.itunes.com
*.icloud.com

Use Apple products on enterprise networks

https://support.apple.com/en-us/HT210060

MehdiYawari
New Contributor III
In response to obi-k

Posted on ‎06-15-2023 01:49 AM

I get not error when running softwareupdate --list
only the output that no Updates can be found, although there should be.
Thanks for the link

0 Kudos

danlaw777
Contributor III

Posted on ‎06-13-2023 05:42 AM

If they're not showing when you're on your corporate network, but they're available everywhere else, you need to sit down and have a long talk with your network/security team. Have them run a wire shark trace and see where its getting blocked. When you hit the "check for updates" button on your mac, it'll go out and look, wire shark will be able to tell you where, or who, is blocking the the service

0 Kudos

sdagley
Esteemed Contributor II

‎06-13-2023 05:56 AM - edited ‎06-13-2023 05:57 AM

@MehdiYawari make sure your proxy/security team are aware of Apple's https://support.apple.com/en-us/HT210060 KB article that @obi-k references. It details the different servers that are needed to support Apple devices on an Enterprise network, and whether or not that can be proxied (you'll also want to make sure they're not subject to SSL inspection)

0 Kudos

AJPinto
Honored Contributor II

Posted on ‎06-13-2023 10:43 AM

I recommend reaching out to your network engineers, and referencing Apples enterprise network guide to make sure everything is open. Apple will fail traffic that goes through SSL inspection and this is probably what is going on.

 

Apple makes a tool they host on AppleSeed called Mac Evaluation Utility. You can run that tool and it will tell you what network traffic is not working correctly. 

0 Kudos

pete_c
Contributor III
In response to AJPinto

Posted on ‎06-14-2023 10:05 AM

If your deployment still relies on x86-native software, you could have issues reliably installing Rosetta.

0 Kudos

MehdiYawari
New Contributor III
In response to AJPinto

‎06-15-2023 01:59 AM - edited ‎06-15-2023 02:03 AM

Yes I just need more information to narrow this down and understand better what is going on?
I am using Mac Evaluation Utility tool and here is the difference.
Mac connected to Internet:

MehdiYawari_0-1686819186601.png

Mac connected to Corporte Network:

MehdiYawari_2-1686819786012.png

 

It clarifies that mac isnt able to connect to certain Apple Domains.
Here is my other test result:
software -l: No new software update available.
softwareupdate --fetch-full-installer --full-installer-version 12.6.6: Starts to download the macOS update.
softwareupdate --list-full-installer: List all macOS available for this test mac.
But I dont yet unterstand the whole topic with SSL inspection and https interception.
Do you have some info(maybe a link from apple) this regards?

0 Kudos

MehdiYawari
New Contributor III
In response to MehdiYawari

Posted on ‎06-15-2023 02:01 AM

The last column of the list of enterprise network guide says either a apple domain support proxy or not: 
Was does this actually means?

 

0 Kudos

AJPinto
Honored Contributor II
In response to MehdiYawari

Posted on ‎06-15-2023 03:34 AM

SSL Inspection and Redirection means some tool is opening apples traffic and going through things before it gets to the device. This is likely a network security tool, but could also be a malicious actor. Apple will fail all traffic that has been tampered with. You need to work which whatever team controls your network filters and get a bypass put in for apples update server. 

 

Think of it was someone opening your mail and reading the contents before it gets to you. If the envelope contained critical instructions, would you trust instructions were not tampered with if the envelope was opened when you got it?

0 Kudos

MehdiYawari
New Contributor III
In response to AJPinto

Posted on ‎06-16-2023 04:50 AM

Thanks alot
This explain why some updates are available and some not. As they might be getting dropped by this SSL inception.

0 Kudos

MehdiYawari
New Contributor III

Posted on ‎06-29-2023 12:03 AM

Sorry für the late response. Just got a feedback from our proxy team.
I used the mac evaluation utility and found that gdmf.apple.com is blocked by the proxy, although apple domains are not blocked (no ssl intercepted) by our proxy.
We found out that gdmf.apple.com has no trusted issuer (cert-untrusted_issuer,)and is blocked by proxy.
Now I need to ask the security team if they can allow to exclude this domain from proxy.

0 Kudos