01-09-2018 12:06 PM - edited 03-08-2019 05:42 PM
In our testing when HTTP inspection is turned on, iTunes will not allow us to log into an iTunes account in order to perform a backup of an IOS device (iPad / iPhone). The error message is Unable to connect to Apple ID server.
Does anyone know the category used for Apple products where in Decryption policies I can change it from Monitor to Pass Through? Quite possibly it doesn't like the MITM certificate, even though its trusted from our domain CA.
We had to do this for Finance, Government and Law, Online Meetings (for webex), and a custom category for Microsoft and Adobe updates.
01-10-2018 09:51 AM
iTunes uses certificate pinning and is thus (as you surmised) resistant to MiTM decryption, even from authorized appliances.
You need to create a custom rule for iTunes to exempt its traffic from decryption.
01-15-2018 01:14 PM
Would you suggest to do an ARIN lookup on apple and just throw their owned IP's into a particular group, then apply that group to HTTPS Decryption and change it to pass-through?
Not sure if anyone out there already has one of these rules in place, and what is the most efficient way to detect its apple itunes.
01-17-2018 01:46 AM
The ARIN lookup scheme is something I have seen used successfully in a similar case. That was for ISE with BYOD where the end user needs a pre-auth ACL to allow access to the Google Play store to download the provisioning client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide