09-09-2019 01:27 PM
I've installed our Root CA cert in the "System" keychain, and have it marked as trusted. I can successfully decrypt web traffic from a MAC running Mojave. No problems there.
The problem comes in when I try updating the OSX or even check for updates from the CLI.
When I run "softwareupdate -l" in terminal, In the logs on the firewall it appears to be coming through as web browsing app, and getting decrypted.
I ran a packet capture, and it shows the client is resetting the connection after succesffuly going out to swscan.apple.com, which is not whitelisted for decryption exclusions. Has anyone run into issues when trying to decrypt on OSX with a trusted root cert, while trying to update the operating system itself?
Guessing adding these domains to decryption exclusion is going to fix this?
09-09-2019 06:48 PM
Whitelist the following:
That should take care of the software updates and allow your clients to actually update successfully.
09-10-2019 07:04 AM
Correct. Exclude those domains from decryption and your clients should be able to check for and download updates again.
09-09-2019 06:48 PM
Whitelist the following:
That should take care of the software updates and allow your clients to actually update successfully.
09-10-2019 07:00 AM - edited 09-10-2019 07:01 AM
Perfect! As always, an excellent reply! Thank you. When you say whitelist- you mean exclude decryption right?
09-10-2019 07:04 AM
Correct. Exclude those domains from decryption and your clients should be able to check for and download updates again.
03-18-2020 01:18 AM
Hi,BPry
>Whitelist the following:
>....
Andrew
03-18-2020 06:08 AM
That is the actual list yes. You can exclude these domains in either method, personally I like doing it in the decryption rulebase via a custom No-Decrypt URL category.
03-18-2020 06:17 AM
Thank you for reply
I prefer "No-Decrypt URL category" too.
Can i summarize your list to:
*.apple.com
*.cdn-apple.com
It will be a less strict list.
Is such version possible?
Andrew
03-18-2020 06:20 AM
You could. As you said, it would be less restrictive and potentially allow additional traffic that you otherwise could have decrypted and gained insight into.
03-18-2020 06:30 AM
Thank you, I understand.
Best wishes,
Andrew
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
