Support
      Back to home
      1. SecureDynamics Knowledge Base
      2. Support

      Configuring SSL Inspection for Apple Services in Zscaler

      How to avoid SSL handshake errors with Apple services that use certificate pinning while maintaining effective SSL inspection policies.

       

      Overview

      Many Apple services enforce certificate pinning, which can conflict with Zscaler’s SSL inspection. When Zscaler intercepts and re-signs SSL traffic, the pinned certificate check fails—resulting in SSL handshake errors and blocked Apple functionality.

      This article explains how to configure Zscaler Internet Access (ZIA) to work around these issues without compromising security posture.

      Why Certificate Pinning Affects SSL Inspection

      Certificate pinning ensures a service or app will only trust a specific certificate or public key. SSL inspection breaks this trust because it alters the certificate chain. This affects:

      • iOS/macOS updates
      • App Store and iCloud
      • Apple Maps, FaceTime, and more

      🔗 Learn more: Zscaler Certificate Pinning and SSL Inspection

      Recommended Steps

      1. Bypass SSL Inspection for Apple Domains

      To prevent errors with Apple services that use pinning, configure SSL inspection bypass:

      • Go to: Policy > SSL Inspection > SSL Inspection Policy Control
      • Add bypass rules for Apple-related domains.

      Common Apple domains to bypass:

      *.apple.com
      *.icloud.com
      *.itunes.apple.com
      *.api.apple-cloudkit.com

      Tip: Use traffic logs to discover additional domains affected by pinning.

      2. Deploy Zscaler Root Certificate (For Non-Pinned Services)

      For Apple services not using certificate pinning, you can safely inspect SSL traffic if the Zscaler root certificate is trusted by the user’s device:

      • Install the Zscaler Root CA on all endpoints.
      • Ensure it’s placed in both the system and browser trust stores.

      3. Use Zscaler Client Connector with Policy-Based Exceptions

      If using Zscaler Client Connector:

      • Ensure SSL inspection is correctly enabled in the app’s profile.
      • Use policy-based domain exclusions for Apple-pinned traffic only.

      Best Practices

      • Limit bypass scope: Only exclude domains you’ve confirmed are impacted.
      • Log and monitor: Use traffic logs or packet captures to identify handshake failures.
      • Stay updated: Regularly check Zscaler Help and Community for Apple-related updates.

      Deployment Guidance: MSSP vs. Standard Projects

      SecureDynamics generally applies these types of SSL inspection bypass rules only as part of our MSSP (Managed Security Services Provider) program.

      For customers going through a standard Zscaler deployment, we recommend:

      • Thoroughly reviewing the content of this KB article
      • Using it as a reference to define which Apple services should be bypassed
      • Working with your assigned Zscaler deployment engineer and/or education specialist to:
        • Understand SSL inspection behavior
        • Learn how to apply, test, and maintain these policies within your own environment

      This approach empowers your internal team to confidently manage SSL exceptions and customize them as needed over time.

      Summary

      Apple’s use of certificate pinning requires thoughtful configuration of SSL inspection. By bypassing only the necessary domains, deploying certificates properly, and leveraging Client Connector, you can ensure seamless Apple service access while maintaining robust security.