Help

Internet Recovery Firewall Rules

Jason
Contributor II

Posted on ‎01-24-2018 08:37 AM

Looking at opening up Internet Recovery. According to the Apple article https://support.apple.com/en-us/HT202481, we need these two rules allowed:

Resolve DNS for host osrecovery.apple.com and contact it on port 80 (HTTP) and port 443 (HTTPS)
Resolve DNS for host oscdn.apple.com and contact it on port 80 (HTTP) and port 443 (HTTPS)

osrecovery.apple.com ends up resolving to a 17.0.0.0/8 address, so we're good there.
oscdn.apple.com seems to resolve to a 23.0.0.0/8 address (Akamai)

we don't do DNS resolution on our FW, so we can't just allow oscdn.apple.com out, we'd have to do an IP or range. Is anyone else aware of a way to handle this (besides the obvious)?

Thanks

0 Kudos
3 REPLIES 3

prbsparx
Contributor II

Posted on ‎01-24-2018 09:36 PM

@jason - I’m working on the same exact issue at my company. If we come up with a solution I’ll ask to share it.

0 Kudos

musat
Contributor III

Posted on ‎10-28-2019 07:23 AM

Did you ever get this figured out? I have been trying to get this open, but keep getting a 2105 error when starting Internet Recovery using Commad-Option-R. The MacBook is connected to the network using a Thunderbolt-Ethernet dongle. I even tried adding the 23.0.0.0/8 range, just to see if it would work, but still get the error.
Thanks for any insight that can be shared,
Tim

0 Kudos

Cayde-6
Release Candidate Programs Tester

Posted on ‎10-28-2019 07:26 AM

For us we had to open up the firewalls and disable any SSL inspections, packet inspection or anything that could break TLS

0 Kudos