Controlling access to Apple’s App Store


In this recipe, access to Apple’s App Store is blocked between 7AM and 5PM. During the rest of the day, access is allowed.

This recipe applies to devices running MacOS and iOS devices (iPhone, iPad, or iPod).

1. Enabling Application Control

Go to System > Config > Features and ensure that Application Control is turned ON.  

2. Blocking the App Store

Go to Security Profiles > Application Control and edit the default profile.  

Under Application Overrides, select Add Signatures.

Search for Apple. Highlight the Apple.Store signature, then select Use Selected Signatures.

If you wish to restrict updates from the App Store, you should also select the Apple.Software.Update signature.

The signature now appear in the Application Overrides list, with the Action set to Block.  

3. Creating a schedule

Go to Policy & Objects > Objects > Schedules and create a new schedule.

Set Type to Recurring, select the appropriate Days, and set Start Time to 7AM (Hour 7, Minute 0) and Stop Time to 5PM (Hour 17, Minute 0).


4. Creating a security policy to block the App Store

Go to Policy & Objects > Policy > IPv4 and create a new policy that allows connections from the internal network to the Internet.

Set Schedule to the new schedule.

Enable Application Control and set it to use the new profile.

Enabling Application Control will automatically enable SSL Inspection. In order to inspect traffic from Cloud Applications, the deep-inspection profile must be used.


5. Ordering the security policies

If you do not have a general policy that allows connections from the internal network to the Internet without blocking the App Store, you will need to create one before you can continue with this step.

Go to Policy & Objects > Policy > IPv4 and view your lanwan1 policies.

In the example, the general policy allowing Internet access appears first in the list, followed by the new policy that blocks the App Store. To make sure the App Store is blocked, you must re-order the policies so that the new policy is higher on the list.

To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to its new position.  

6. Enforcing the schedule

Go to System > Dashboard > Status and enter the following into the CLI Console, substituting the correct Policy ID for the new policy.

This ensures that the App Store is consistently blocked between 7AM and 5PM, even for sessions that start before 7AM.

config firewall policy
  edit <policy-id>
    set schedule-timeout enable

7. Results  

On a Mac or iOS device, attempt to run the App Store application between 7AM and 5PM. The application will not be able to fully load and no new apps can be downloaded.

You can find information about the blocked traffic by going to System > FortiView > Applications and selecting the 5 minutes view.  
After 5PM, you will be able to connect to the App Store.

For further reading, check out Application control in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.