Jamf Nation Community

AVmcclint · ‎05-29-2015

Our JSS can't seem to communicate with Apple's VPP Servers. We have major firewalls in place here and I've asked our network security teams if they could open some holes for testing to see if it is a firewall blocking the communication. They said they'd be open to that but I need to provide the servers names or addresses that JSS communicates with for all parts of VPP. Is there a list somewhere that might provide this information? My searches have come up short.

bpavlov · ‎05-29-2015

I think this may help. I don't use VPP but my understanding is that it relies on MDM which usually requires access to APN:

https://support.apple.com/en-us/HT203609

And then there is this list:
https://support.apple.com/en-us/HT202944

millersc · ‎05-29-2015

https://jamfnation.jamfsoftware.com/article.html?id=34

They might want something like this to help them understand what your asking for.

AVmcclint · ‎05-29-2015

We already have the ports open, but because of how tight our firewalls are configured, I was hoping to open holes for the specific servers.
this is the only URL I've been able to get: http://ax.itunes.apple.com/ I know how vast Apple's server pools are; I know that there is a chance that for all I know there are 1000 server addresses that could be called directly or indirectly. I'm really hoping ax.itunes.apple.com is the only one that matters, but you never know.

bpavlov · ‎05-29-2015

Perhaps try contacting Apple directly? Also not sure if you read this part from the first link I provided but just in case:

The entire 17.0.0.0/8 address block is assigned to Apple, so it's best to allow this range in your firewall settings.

I know it's not specific servers, but it's a start.

AVmcclint · ‎05-29-2015

I would love to do that, but our network folks would never open up the firewall to an entire Class A address block. That's wishful thinking around here :)

nessts · ‎05-29-2015

Interesting that they would be willing to open to one Apple IP but not all of them, you either need and want the service and trust your partner in this or you don't I suppose. What if somebody spoofs one of Apple's IP addresses in that big block, well what if they spoof the one? Very interesting for sure. Not saying you or they are wrong in their practice as its not my head on the line.

bpavlov · ‎05-29-2015

Yikes! Well I would definitely engage Apple here. I'm sure you guys aren't the only ones that have strict network requirements like this and they can probably provide a few more specifics outside of the KB articles we've posted. Good luck. And if you do get anywhere, and it's allowed, feel free to share as I'm sure someone somewhere down the road will probably benefit from the information.

chriscollins · ‎05-29-2015

Yep, as the support articles state those various servers are behind load balancers and the IP addresses change here and there which is why apple recommends the you open up the entire block. I have seen them change over time.

We got some pushback from NetOps when we first were requesting these to be open but then we made a similar argument to nessts and they realized it didn't really make any sense to not do it.

John_Wetter · ‎06-01-2015

Like others have said, VPP and APNS are all load-balanced using DNS so I think it's going to be hard to narrow down the IP's. So, it would probably be best to forward them the Apple KB's and see what they say. There are highly secure facilities using all of these services so I'm sure you'll be able to get it figured out with your security folks.

Jamf Nation Community

VPP server names or addresses?