Posted on 12-04-2020 08:30 AM
We face some difficulties in setting up our corporate network, allowing access to Apple products for enrolled MacOS devices. Even if we followed the Apple recommendations by allowing in FW outbound connections to 220.127.116.11/8. Having all other external traffic passes through the Proxy. With these configurations, we cannot benefit from a range of Apple services (e.g.AppleStore, OS update, certificate validation etc). Analyzing the logs from FW we found that we have a lot of traffic blocked to Akamai CDN subnets. That's why I assume we don't have access to Apple products which does not supported Proxy Auto-config pac. Simple nslookup for mesu.apple.com shows Non-Authorative name *.akamai.net and remote address from Akamai subsets. Which respectively were not allowed, because our FW does not support rules based on fqdn but only per IP, what has blocked us even more, and we don't know how to solve it correctly
Posted on 12-05-2020 08:16 AM
Your FW is not the only place that you need to check. Not all of Apple's services support Proxy, see Using Apple products on enterprise networks
You will need some way of watching the traffic through the Proxy and then create PAC Bypasses for the services that don't support Proxy. There is a lot that I don't know about your network and your Proxy setup, so I can only speak in general terms. I do know that it can be done because we are running about 3,400 iOS devices behind a Proxy.