I had a similar experience when blocking "Entertainment - MP3 and Audio Download services" which blocked Apple devices accessing the App Store and iTunes. Allowing the category wasn't an option so we added http://itunes.apple.com
under a custom allowed category.
This got the apple store working but purchases wouldn't go through.
We're using the Network Agent and blocks were occurring for subnets in 17.X.X.X networks at the time of testing. Supposedly the whole of 184.108.40.206/8 is allocated to Apple. Apple use a whole heap of different addresses on different subnets of that scope so we couldn’t just add each of them as an exception. i.e. https://220.127.116.11:443
We ended up using “Recategorize URL” and then “Advanced” to add a Regular Expression of “^https://17\.”
(without quotation marks) .This allowed all of 18.104.22.168 as a custom allow category.
If you want to be more security conscious you can do a “Investigative Report” and use the search for textbox for “Destination IP” of “17.” and maybe track down the main subnets in use. Bear in mind that the running too many Regular Expressions may have a performance impact.
My logs so far indicate that the Apple stores use ~140 unique ip addresses, on 23 different /24 networks, on 8 different /16 networks.
If you wanted to go the route of only allowing the smaller subnets such as the 22.214.171.124/24 subnet you’d use a Regular Expression of “^https://17\.149\.156\.”
(without quotation marks).
My limited explanation of this is that the ^ means ‘at the start of the line’. It then matches https://17
. Next comes the \, in regular expression use the full stop is a special character so there’s a backslash before it to say ‘the next character should be taken literally’. Then it matches 149, and then another full stop, etc, etc.
Alternately you can keep checking the logs and put all of the hits you see in the format previously suggested by Susie, https://X.X.X.X:443
. You'd have to make sure to keep an eye on this though, if you miss an address or a new server is added then users will have intermittent issues until you add it.