At a facility where I work, we have several Mac Pros and Mac Minis.
We're in need to upgrade from Mojave to Big Sur so we can upgrade our various production tools, i.e. Pro Tools, DaVinci Resolve Studio.
As a test, I installed Big Sur from scratch on MacPro (trashcan model), and it appears that if the computer detects any kind of connection either wireless or wired, it tries to contact some apple servers, this happens every time we open third-party applications. The problem is that that our wired mac computers do not have access to the internet, so just trying to open pro tools takes about 10 minutes. The app icon just bounces and bounces. Sometimes the app does not even open at all after bouncing for over 10 minutes.
I found out that Big Sur is trying to contact apple servers because that's what it shows in our firewall's logs. These are the servers:
ussjc2-vip-bx-001.aaplimg.com,
ussjc2-vip-bx-002.aaplimg.com,
ussjc2-vip-bx-003.aaplimg.com,
ussjc2-vip-bx-004.aaplimg.com,
ussjc2-vip-bx-005.aaplimg.com,
ussjc2-vip-bx-006.aaplimg.com,
ussjc2-vip-bx-007.aaplimg.com,
ussjc2-vip-bx-008.aaplimg.com
So basically it tries to connect to the first server, then it waits, when it does not get a reply, it tries the second server, and so forth.
If this even after we opted out of any analytics, but then again, this wouldn't be the first time software developers get caught doing something they're not supposed to do.
Any idea what's might be going on or how to disable this behavior?
Cheers!
SuperVertix
Best Answer
You absolutely want to open up all outbound ports to the entire 17.0.0.0/8 address block which is assigned to Apple as a first step.
Next, get this article to your network and security teams.
If they balk, call your Apple store (or whomever you buy you Macs) and ask for a short call with Apple Business to sort out why doing all of the things is the best plan for speed and security.
If your team isn’t convinced this is correct, set up a new network segment and do some A / B testing. Apple has made some very nice optimizations so notarization, certificate validation and other checks are cached very well now. Some even work with a proxy but some will not tolerate any manner of proxy or deep inspection / manipulation of the traffic.