Block Apple App updates?

starbuck
Here to help

Block Apple App updates?

Apple App updates for iOS users are really soaking up a lot of our bandwidth and I'm looking for a way for to block our guest connections from being able to download all their iOS app dates.

 

I tried blocking iOS updates as per the faq, but it doesn't seem to have any affect on AppStore App updates?

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not sure specifically about App updates, this I have used this before to block iOS updates:

Security Appliance/Firewall/[scroll down to]Layer 7

Software & Antivirus Updates/Software Updates

 

BrandonS
Kind of a big deal

How do you know this?  Do you see Apple App Updates as a category under traffic analytics?  If so, you can click that category to see details that can be used to create firewall rules.  

- Ex community all-star (⌐⊙_⊙)
PhilipDAth
Kind of a big deal
Kind of a big deal

@BrandonS it just seemed the most likely category.  I was helping a company with a large number of guest WiFi areas and they were getting smashed over with bandwidth everytime Apple released an update.  This stopped the problem from happening, so it definitely worked.

BrandonS
Kind of a big deal

@PhilipDAth I was replying to the OP, @starbuck

 

It is not clear to me how he knows individual app updates specifically are causing issues as opposed to anything else..

- Ex community all-star (⌐⊙_⊙)

I know because I actually tested it in real time. I have my iPhone assigned to a group policy that has layer 7 deny rules using the predefined 'Software Updates' option and also has http deny rules for the two apple domains as recommend in the meraki faq/blog post here: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Blocking_or_rate_limiting_iOS_...

 

I ensured that the policy had plenty of time to be active. I even disconnected my iphone from the network and rejoined to be sure and and then I tried to update the apps and they would update with no problem.

 

 

BrandonS
Kind of a big deal

You may need to turn to packet captures to get some clues then.  I just did a quick capture while updating apps from my iPhone and see it is using different servers.  Maybe try these:

 

CNAME su-cdn.itunes-apple.com.akadns.net., CNAME su-applak.itunes-apple.com.akadns.net., CNAME su.itunes.apple.com.edgekey.net., CNAME e673.a.akamaiedge.net

 

No guarantee they don't break other things or change, of course..

- Ex community all-star (⌐⊙_⊙)
ccnewmeraki
Getting noticed

Why not just put in place traffic shaping rules rather than blocking things?

If the rules are set well enough they will prevent any noticeable impact on your network or your users.

If you try and make a rule specific enough that it only catches the apple Apple App Store, it will probably stop working at some point when Apple make changes to their servers, or it may unintentionally break something your users require.

We have this rule set up in one of our offices which only has a 20 Mbps connection and 30 users:

meraki shaping4.png 
gvt1.com is the Google Play Store update server so everything is covered.

Then just make sure you tell the appliance the WAN connection speed in Security Appliance > Traffic Shaping 

Thanks for this information. We don't have unlimited data each month so this is about data volume/quota management.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels