How do I block iMessage on a Network?

Hi John,

Thank you so much for this post.

But I have few question... may be with no answer...

How can we be sure that only those iP addresses are used for iMessage ?

If I check on my network, for the IP addresses Class 17, who belongs to Apple I think, I have other kind of traffic :

for example

17.249.0.0 /16

17.110.0.0 /16

17.174.0.0 /16

I'm pretty sure that some are used by other Apple's services...

What if Apple decides to add on other class B to iMessage servers ?

Cheers

You can block Facetime by turninig it off in the Restrictions setting. iMessage cannot be restricted this way and blocking it on the firewall may cause issues with apps the use APNS, iCloud, etc.. proceed at your own risk.....

Looking at our firewall logs and doing some tests iMessage is going out over port 80 to Apple. If you were to block this like guyhead said, you'll likely block other services or apps from working on the device. I don't really see a way to block iMessage as the students could switch to 3G if the devices support it and still use it. Looking in our MDM solution, doesn't provide an option to restrict access to it either.

http://support.apple.com/kb/ht4245

iMessage uses 80, 443, and 5223. Obviously you cannot block 80 and 443 but 5223 might cripple it without too collateral damage. Below are listed some other services Apple has on 5223:

http://support.apple.com/kb/TS1629

5223

XMPP over SSL, Apple Push Notification Service

-

-

MobileMe (Automatic sync notifications) (see note 9), APNs, FaceTime, Game Center

Godona,

Did you ever have any luck blocking your students to Imessage. We had been doing this with our MDM but after IOS 7 we are seeing students using it again. I am attempting to block it via our firewall with no luck as it appears to work just fine using 443. Just wondering if you had found a solution and if it was still working for you after the release of IOS 7.

Supervise the IOS 7 iPads with Configurator 1.4 and you can disable iMessage in the configurator settings.

If the device is supervised most MDM solutions allow for disabling iMessage as well.

Hi

I have finally succeeded in blocking imessage (and facetime) on the iphones and ipads in my family network by adjusting router settings.

In the router, in my case Netgear, there is an option to block services for a specific number of IP addresses (which I gave fixed numbers in the DHCP table). I blocked port numbers for TCP at 5223 (apple push notification service), 443 ( Secure Sockets Layer (SSL, or "HTTPS")), 2195 (apple push notification service) and 2196 (apple push notification service). Additionally, I blocked according to a time schedule which is also an option in the router settings. During daytime my family is able to imessage and facetime. In the evening and night the above mentioned port numbers are closed. I hope this helps.

Kind regards

Hi Godona,

I have recently blocked iMessage at the firewall and thought I would share.

Blocking port 5223 alone is not enough (but still necessary) and blocking any domain names (ie. albert.apple.com etc.) will not work.

The block needs to happen at the IP address level - here is the approach I took:

There are three ranges of IPs that iMessage uses and need blocking:

17.173.0.1 to 17.173.255.255

17.178.0.1 to 17.178.255.255

17.133.0.1 to 17.133.255.255

Obviously, these are large IP ranges and likely contain services that you still want to use (ie. App Store). There, explicitly ALLOW the following range to enable the App Store:

17.173.65.1 to 17.173.65.255

Caveats:

1. We have only just implemented this block and therefore there may be other Apple services we are not aware of yet that need to be included in the 'Allow' rule.

2. This block also blocks FaceTime

3. With the block in place, the 'Messages' app appears to take a very long time to deliver the message but eventually reports it as delivered. The message does not actually get sent and thus not delivered.

I hope this helps someone as it took me a while to perform the forensics.

Cheers

Thank you for taking the time to outline the necessary networks and settings. I'll test as well and will report back as I learn results. If this works, it will be the blessing of the month.