When https inspection is on: Unable to connect to Apple ID server

keithsauer507 · ‎01-09-2018

In our testing when HTTP inspection is turned on, iTunes will not allow us to log into an iTunes account in order to perform a backup of an IOS device (iPad / iPhone). The error message is Unable to connect to Apple ID server.

Does anyone know the category used for Apple products where in Decryption policies I can change it from Monitor to Pass Through? Quite possibly it doesn't like the MITM certificate, even though its trusted from our domain CA.

We had to do this for Finance, Government and Law, Online Meetings (for webex), and a custom category for Microsoft and Adobe updates.

Marvin Rhoads · ‎01-10-2018

iTunes uses certificate pinning and is thus (as you surmised) resistant to MiTM decryption, even from authorized appliances.

You need to create a custom rule for iTunes to exempt its traffic from decryption.

keithsauer507 · ‎01-15-2018

Would you suggest to do an ARIN lookup on apple and just throw their owned IP's into a particular group, then apply that group to HTTPS Decryption and change it to pass-through?

Not sure if anyone out there already has one of these rules in place, and what is the most efficient way to detect its apple itunes.

Marvin Rhoads · ‎01-17-2018

The ARIN lookup scheme is something I have seen used successfully in a similar case. That was for ISE with BYOD where the end user needs a pre-auth ACL to allow access to the Google Play store to download the provisioning client.