https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3308547#M532 <P>In our testing when HTTP inspection is turned on, iTunes will not allow us to log into an iTunes account in order to perform a backup of an IOS device (iPad / iPhone).&nbsp; The error message is Unable to connect to Apple ID server.</P> <P>&nbsp;</P> <P>Does anyone know the category used for Apple products where in Decryption policies I can change it from Monitor to Pass Through?&nbsp; Quite possibly it doesn't like the MITM certificate, even though its trusted from our domain CA.</P> <P>We had to do this for Finance, Government and Law, Online Meetings (for webex), and a custom category for Microsoft and Adobe updates.</P> Sat, 09 Mar 2019 01:42:00 GMT keithsauer507 2019-03-09T01:42:00Z https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3308547#M532 <P>In our testing when HTTP inspection is turned on, iTunes will not allow us to log into an iTunes account in order to perform a backup of an IOS device (iPad / iPhone).&nbsp; The error message is Unable to connect to Apple ID server.</P> <P>&nbsp;</P> <P>Does anyone know the category used for Apple products where in Decryption policies I can change it from Monitor to Pass Through?&nbsp; Quite possibly it doesn't like the MITM certificate, even though its trusted from our domain CA.</P> <P>We had to do this for Finance, Government and Law, Online Meetings (for webex), and a custom category for Microsoft and Adobe updates.</P> Sat, 09 Mar 2019 01:42:00 GMT https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3308547#M532 keithsauer507 2019-03-09T01:42:00Z https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3309162#M533 <P>iTunes uses certificate pinning and is thus (as you surmised) resistant to MiTM decryption, even from authorized appliances.</P> <P>&nbsp;</P> <P>You need to create a custom rule for iTunes to exempt its traffic from decryption.</P> Wed, 10 Jan 2018 17:51:03 GMT https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3309162#M533 Marvin Rhoads 2018-01-10T17:51:03Z https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3311711#M534 <P>Would you suggest to do an ARIN lookup on apple and just throw their owned IP's into a particular group, then apply that group to HTTPS Decryption and change it to pass-through?</P> <P>&nbsp;</P> <P>Not sure if anyone out there already has one of these rules in place, and what is the most efficient way to detect its apple itunes.</P> Mon, 15 Jan 2018 21:14:31 GMT https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3311711#M534 keithsauer507 2018-01-15T21:14:31Z https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3312678#M535 <P>The ARIN lookup scheme is something I have seen used successfully in a similar case. That was for ISE with BYOD where the end user needs a pre-auth ACL to allow access to the Google Play store to download the provisioning client.&nbsp;</P> Wed, 17 Jan 2018 09:46:26 GMT https://community.cisco.com/t5/cloud-security/when-https-inspection-is-on-unable-to-connect-to-apple-id-server/m-p/3312678#M535 Marvin Rhoads 2018-01-17T09:46:26Z