Users are increasingly deploying network security measures to combat malware and attacks from bad actors. Although these have traditionally been used by larger organisations, some individuals are now adopting them. Unfortunately, they can have untoward side effects: if you’re not careful, you could end up blocking software updates and even checks on software signatures and notarization.
The most basic protection has traditionally been a firewall between your local network and the Internet, configured to block all incoming and allow all outgoing connections. This remains a safe measure which shouldn’t interfere with any services required by macOS.
That doesn’t, of course, provide any protection against malware running within your network which tries to ‘phone home’, so many users are now using software firewalls such as Little Snitch or Lulu. As I have explained, you must configure those so that they don’t block essential services required by macOS. To do that, you’ll need to permit some outgoing connections to support the services your Mac relies on: that article has links to help you do that. For example, to permit all macOS services you’ll need to allow all outbound connections to *.apple.com or 126.96.36.199/8.
Another measure which is becoming increasingly popular is SSL Inspection (also known as HTTPS Inspection). Some security researchers estimate that around half of all network traffic generated by malware uses encrypted sessions such as HTTPS. SSL Inspection normally uses a proxy to unlock encrypted sessions, check the packets being transferred, and try to identify and block any abuse or malicious activity. Although this might appear to be transparent to services using encrypted connections, it isn’t: those services can detect when SSL Inspection occurs.
Many of Apple’s services now detect SSL Inspection and, because they could themselves be offensive in purpose, they will fail such connections, and the affected service will stop working, possibly in complete silence. Among the services affected are:
- device setup for all Apple OSes
- device management using MDM
- software updates for all Apple OSes, including update catalogs
- macOS Recovery mode
- App Store and app updates from Apple’s stores
- content caching
- softare notarization (ticket delivery)
- certificate validation.
Apple provides full details of these services and their requirements in this recent article.
I’m very grateful to Matthew for drawing my attention to this growing problem.