iOS - Network and Firewall

Building the DevApp requires your Mac to download dependencies from a small set of external hosts. If you work behind a corporate firewall — common at banks and other organizations with locked-down networks — your IT or network-security team must allow outbound access to each of the hosts on this page before Xcode can resolve Swift packages and complete its first build.

Hand this page to your IT team

This page is intended to be self-contained. Send the link directly to whoever manages your firewall or proxy rules; every detail they need to make an allow-list decision is below.

Summary

Direction	Protocol	Port	Required?
Outbound	HTTPS	443	Required
Outbound	SSH (TCP)	22	Recommended — used to clone the DevApp over SSH

No inbound rules are required.

Cloning over SSH vs. HTTPS

The recommended way to clone the DevApp is over SSH (port 22) — it uses a key instead of a password and integrates cleanly with Xcode and command-line Git. If your firewall policy strictly forbids outbound port 22, you can clone over HTTPS (port 443) using your Personal Access Token instead. See DevApp Setup for both flows.

Required hosts

These hosts must be reachable for the DevApp to build, resolve SPM packages, and run.

Host	Why it is required
code.q2developer.com	Q2's GitLab instance. Hosts the DevApp source code and the private Swift Package registry that ships Q2's SDK libraries and partner modules. Required.
developer.apple.com	Apple Developer portal. Required to download Xcode, iOS Simulator runtimes, and provisioning profiles. Required.
swiftpackageindex.com	Swift Package Index — used by SPM to resolve public package metadata. Required when the project references packages listed there.
github.com	Hosts open-source Swift packages referenced by Q2's SDK (pulled over HTTPS by SPM). Required.
raw.githubusercontent.com	Hosts package manifest and archive downloads for GitHub-hosted Swift packages. Required.
objects.githubusercontent.com	GitHub's CDN for package source archives. Required alongside github.com.
api.apple-cloudkit.com	Used by Xcode for Apple services and developer account validation. Required.
updates.cdn-apple.com	Apple's CDN for Xcode and Simulator runtime updates. Required to install or update Xcode and download additional Simulator runtimes.
developer.apple.com	Apple Developer documentation and SDK downloads. Required.

Apple CDN hosts

Apple distributes Xcode and Simulator runtimes through a content delivery network. The most commonly seen CDN hostnames are listed below. If your firewall does not allow wildcard rules, you may need to allow each host explicitly.

Purpose	Common CDN host
Xcode and runtime downloads	updates.cdn-apple.com
App Store and developer services	api.apple-cloudkit.com
Package archive downloads	objects.githubusercontent.com

If you encounter a blocked host that is not in this table, capture the exact hostname from your proxy logs and contact your Q2 representative — CDN hosts can change over time.

Hosts you do not need

To remove ambiguity for your IT team, the following hosts appear in some Q2 internal projects but are not required for DevApp module development:

• artifactory.q2ebanking.com — internal Q2 artifact server. Used only by Q2's first-party banking app (the Q2 Mobile App / NGAM), not by modules built with the DevApp.
• services.gradle.org, maven.google.com, repo.maven.apache.org — Android/Gradle hosts. Not required for iOS development.

If a build error references one of these hosts, contact your Q2 representative — it indicates a misconfigured project, not a missing firewall rule.

Validating your firewall rules

After your IT team has allowed the hosts above, validate connectivity from a developer Mac before starting the install. From a terminal, each of these commands should return an HTTP 200 or 301 response:

# Q2 GitLab
curl -I https://code.q2developer.com

# Apple Developer portal
curl -I https://developer.apple.com

# GitHub (SPM package sources)
curl -I https://github.com

# GitHub raw content (package manifests)
curl -I https://raw.githubusercontent.com

If any of the above time out or return a connection-refused error, your firewall is still blocking that host.

Proxy configuration

If your organization requires all outbound traffic to go through an HTTP proxy, both Xcode and SPM must be configured to use it.

System proxy (recommended)

The simplest approach is to configure the proxy at the macOS system level:

1. Open System Settings → Network → [your active connection] → Details → Proxies.
2. Enable Web Proxy (HTTP) and Secure Web Proxy (HTTPS).
3. Enter your proxy host and port.

Xcode and SPM inherit the system proxy automatically — no per-tool configuration is needed.

Command-line proxy

For terminal-based Git and SPM operations, set the proxy environment variables:

export http_proxy=http://proxy.your-company.com:8080
export https_proxy=http://proxy.your-company.com:8080
export no_proxy=localhost,127.0.0.1

Add these to your ~/.zshrc (or ~/.bashrc) to persist them across sessions.

Custom CA certificates

If your organization performs SSL inspection (a "man-in-the-middle" proxy), Xcode and SPM must trust your organization's root CA certificate. Without it, SPM dependency resolution will fail with an SSL handshake error.

To install a custom CA certificate:

1. Obtain your organization's root CA certificate file (.cer, .crt, or .pem).
2. Double-click the certificate file — Keychain Access opens.
3. Select the System keychain and click Add.
4. Find the certificate in Keychain Access, double-click it, expand Trust, and set When using this certificate to Always Trust.
5. Restart Xcode.

If you receive SSL errors during SPM resolution after installing the certificate, contact your Q2 representative — they will walk you through any additional configuration needed.

What's next

Network confirmed open? Move to Accounts and Access to obtain your Q2 GitLab account and Personal Access Token.