Due to severe bandwidth limitations we use a lot of blocking and content filtering. As such, we block video & music as a Layer 7 firewall rule.
However...we're configuring an Apple Caching server. Idea is that the caching server has more bandwidth allocated to it, the clients sign-in with Apple on a throttled connection then are redirected to the caching server for the payload. However, we have to unblock iTunes everywhere for it to work. (Ug)
I'd like to block this category, but allow only iTunes. The only way I've seen so far is to add the individual items in the group separately. However, this also defeats the purpose of the Meraki magic of dynamically updated lists. I don't suppose anyone has other ideas.
@Aaron_Wilson - I'm so glad I'm not the only one thinking it's strange that you can't set an "Allow" in the layer 3.
Add a firewall exception for the local server in the device - white-list?
As @Priesty says, you can assign the whitelist group policy to the caching server.
Another option is to create a group policy for the caching server on a schedule. So leave it limited during the day, and take away the restrictions at night time.
The caching server is on a whitelist already. The challenge is every client also has to get to iTunes to authenticate with Apple servers before pulling down payload. Since these systems constitute a dynamic list, assigning a special policy just to them isn't really feasible. So it's an all or nothing thing.
What about the switch level, add a group policy?