User profile for user: wd1840cork
wd1840cork Author
User level: Level 1
7 points

URL init.ess.apple.com -- legitimate?

Repeatedly asked to enter both my MacBook password as well as Apple ID to continue to "use the iCloud". Everyday for last week, getting same message. URL blocked by router malware, URL is init.ess.apple.com, Router says the URL based in China. Now the system settings are locked on my MacBook and the message asking for password to access iCloud continually displays. Running Sonoma 14.1. When I track the url, there is a blank screen. Has this happened to anyone else?

Posted on Oct 27, 2023 06:16 PM

Reply
Question marked as Top-ranking reply
User profile for user: wd1840cork
wd1840cork Author
User level: Level 1
7 points

Posted on Oct 30, 2023 11:29 AM

As the original poster, I contacted Apple Support before posting here. Basically said the very same thing.... not sure if this is a problem with the Sonoma update or if the router is being super sensitive. Given the router has not "glitched" on any Apple sites for more than 2.5 years, it is strange that this URL is being wholly blocked right now.


I should note that while I was online and speaking with Apple Support, I was watching my Console spit out line after line of Sandbox restrictions...... it would not stop. I determined that it was probably best to disconnect the internet and stay off line until speaking with Apple again, contacting the router support folks, and determining the validity (if possible) of the URL as well as the IP address (and yes, I know anyone can use a VPN from any country so there's that to consider)


Finally, not my first rodeo with global hacking of all my devices. I will also be contacting my ISP as well given the attempt to hack through the ONT. Thanks for everyone's replies thus far. I will be following Tim Herzog's journey as well.

View in context

Similar questions

14 replies
Question marked as Top-ranking reply
User profile for user: wd1840cork
wd1840cork Author
User level: Level 1
7 points

Oct 30, 2023 11:29 AM in response to MrHoffman

As the original poster, I contacted Apple Support before posting here. Basically said the very same thing.... not sure if this is a problem with the Sonoma update or if the router is being super sensitive. Given the router has not "glitched" on any Apple sites for more than 2.5 years, it is strange that this URL is being wholly blocked right now.


I should note that while I was online and speaking with Apple Support, I was watching my Console spit out line after line of Sandbox restrictions...... it would not stop. I determined that it was probably best to disconnect the internet and stay off line until speaking with Apple again, contacting the router support folks, and determining the validity (if possible) of the URL as well as the IP address (and yes, I know anyone can use a VPN from any country so there's that to consider)


Finally, not my first rodeo with global hacking of all my devices. I will also be contacting my ISP as well given the attempt to hack through the ONT. Thanks for everyone's replies thus far. I will be following Tim Herzog's journey as well.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
141,071 points

Oct 28, 2023 07:11 AM in response to Tim Herzog II

Tim Herzog II wrote:

I’ve noticed the same thing init.ess.apple.com checking into china. My regional blocking is stopping it. Hasn’t seemed to affect the operation of my apple devices however. Just started within the last week for me.


You will want to contact the app vendor that provided the blocking app you are using. (They're the best to discuss blocks and not-blocks, as (hopefully) they're collecting and curating a list. Otherwise, you get to do that.)


For most cases where details are required, log URL access and related for subsequent breach investigations, and that can be done at either at some local DNS resolver probably in the local network router, in a local DNS server if you're running one or more of those, or some DNS hosting providers almost certainly offer logging and nanny capabilities, with no added local software.


Implementing blocking means you own a whole lot more of the issues that this blocking inevitably causes, and a whole lot more about determining what is normal and what is not, and what network access Apple can and does use can and does change over time and across updates.


This host is Apple, and is apparently a content delivery network, and there are enough discussions around the 'net to imply this domain access is normal:

init.ess.apple.com.	289	IN	CNAME	init-cdn-lb.ess-apple.com.akadns.net.
init-cdn-lb.ess-apple.com.akadns.net. 19 IN CNAME appledownload.qtlcdn.com.
appledownload.qtlcdn.com. 20	IN	A	113.5.170.192
appledownload.qtlcdn.com. 20	IN	A	61.161.1.46


Per whois, qtlcdn.com is "Wangsu is a China-based company that provides content delivery network (CDN) and Internet data center (IDC) services."


More generally when considering these classes of network access reports: if the Apple DNS services are serving unauthorized domains and you're then catching access requests to unauthorized domains with local or network-monitoring tools, then there are seemingly two issues in your network:


1: your local or ISP DNS services are either compromised and providing additional translations for known domains, or there's a serious security event happening at Apple and its DNS servers.

2: your local macOS system is somehow also compromised, and is accessing these nefarious translations.


That seems unlikely. Which usually means it's the add-on security apps mis-detecting or otherwise blocking normal access.


To be absolutely clear, allowing or blocking access is entirely your choice, and entirely your prerogative. Installing and maintaining tools to perform that, too. Endpoint security can be useful. But you'll need to have your own or your own contracted IT monitoring determining the validity and necessity of that activity for each domain. You and your IT entirely own these determinations and the associated research and risks, too.


If you should find a necessary-for-normal-operations DNS host entry captured in your tooling that's not listed in Apple's published list, have a chat directly with Apple.


Here is Apple's published list: Use Apple products on enterprise networks - Apple Support


And yes, it appears this host is not listed by Apple. Accordingly, check with Apple Support.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
55,286 points

Oct 28, 2023 05:29 AM in response to Tim Herzog II

Tim Herzog II wrote:

I’ve noticed the same thing init.ess.apple.com checking into china. My regional blocking is stopping it. Hasn’t seemed to affect the operation of my apple devices however. Just started within the last week for me.

That site has nothing to do with China. It is part of Apple's global content delivery network. If whatever "security" software you are using is indicating that init.ess.apple.com is connecting to China, it is either wrong or you have horribly misconfigured it.

Reply
User profile for user: Tim Herzog II
Tim Herzog II
User level: Level 1
8 points

Oct 30, 2023 05:39 AM in response to MrHoffman

Thank you for the response. I will look into it and contact apple. It seems that regional blocking is doing its job. The question is whether an exception should be entered for these domains if they are legitimate.


I haven’t noticed any issues with them being blocked. It seems to be related to ad content. I notice it happens when my children are using the iPads to play games or my wife is browsing on her Mac book.


If I get a response I will follow up. Thanks again for the response.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
55,286 points

Oct 30, 2023 05:57 AM in response to Tim Herzog II

Tim Herzog II wrote:

It seems that regional blocking is doing its job. The question is whether an exception should be entered for these domains if they are legitimate.

No, it's not. Content delivery networks work by associating a domain name with servers that are closest to your location. When I check that domain name, it returns servers in Canada. The only way that domain would resolve to China is if you were in China.


The most likely explanation is that everything on the internet side is working perfectly and your router is horribly buggy, as those things often are.

It seems to be related to ad content.

It is related to Apple's end-to-end encryption for Messages.

I notice it happens when my children are using the iPads to play games or my wife is browsing on her Mac book.

It is a system task that runs constantly in the background.

Reply
User profile for user: Tim Herzog II
Tim Herzog II
User level: Level 1
8 points

Nov 3, 2023 04:05 AM in response to etresoft

update: after contacting apple support. They said this needed to be escalated to enterprise support. However I never received contact back but after contacting them I went from 10 to 20 alerts a day for multiple devices to 0.


My router may have updated. I see it rebooted itself and all traffic and data usage history prior to Nov 1st is now gone.


If I get bored I will investigate further and do a packet capture.



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

URL init.ess.apple.com -- legitimate?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up