hosts that are required for system updates

[sneak]

The following hosts are required to perform OS updates and should probably not be included in the blacklist:

gdmf.apple.com
gdmf.apple.com.akadns.net
swcdn.apple.com
swscan.apple.com

There may be OCSP hosts required as well (for trustd to validate OS updates), this is not an exhaustive list.

[sneak]

gs.apple.com
gs.apple.com.akadns.net

These are also required (at least the first) - prior to 12.5 they are contacted in plaintext with the CPU's ECID on M1/M2, which definitely serves as telemetry. They are, however, required to do system updates.

https://sneak.berlin/20220409/apple-is-still-tracking-you-without-consent/

As of 12.5 the updater is said to use https so it's not telemetry to anyone watching the network, but still is to Apple. It is however required for OS updates on ARM/AS (M1/M2) because OSes are "personalized" to the specific hardware on these platforms.

[sneak]

updates.cdn-apple.com and mesu.apple.com I think are both required in the OS update process on 12.x.

ocsp2.apple.com MAY be required - further testing is needed.

[sneak]

You can safely block configuration.apple.com and bag.itunes.apple.com during OS update (they are contacted) and it will still work/update.