Hope you are doing well.
As mentioned above the fix is to bypass the proxy authentication for *.itunes.apple.com.
Any rule created using Authentication parameters like Authentication user name or groups will work if Authentication rule is triggered and then only we will get desired values of user name or groups.
So any rule created using Authentication parameters like Authentication user name or groups will not work if they are placed before Authentication rule.
As first Authentication rule should get triggered and then only we get desired value of these parameters like Authentication username or groups.
So here you can create a rule using Client.IP property and URL.host *.itunes.apple.com) if possible or use some other property.
Ah, that makes perfect sense. I guess it has to know the user's ID before it can use it as criteria for something. I should have seen that so thank you for the answer.
I can't use Client.IP because of DHCP and I don't want to have to change it every time someone gets a new lease. I'll play around and see if I can get it to work with the username once I place it below the Authentication rule. Thank you.