This is an apple list of ports used (quite long)https://support.apple.com/en-gb/HT202944
Might be able to find one that interrupts update communication but doesn't mess up anything else - it's a long shot.
Also, just in case you haven't seen this info...
From the Zone Director online help guide:
Configure Application Denial Policies
This option allows the administrator to deny application access by blocking any HTTP host name or L4 port. Using application denial policies, administrators can block specific applications if they are seen to be consuming excessive network resources, or enforce network usage policies such as blocking social media sites.
The following usage guidelines need to be taken into consideration when defining Application Denial Policies:
“www.corporate.com” – This will block access to the host web server at the organization “corporate.com” i.e. the FQDN. It will not block access to any other hosts such as ftp, ntp, smtp, etc. at the organization “corporate.com”.
“corporate.com” – this will block access to all hosts at the domain “corporate.com” i.e. it will block access to www.corporate.com, ftp.corporate.com, smtp.corporate.com, etc.
“corporate” – This will block access to any FQDN containing the text “corporate” in any part of the FQDN. Care should be taken to use as long as possible string for matching to prevent inadvertently blocking sites that may contain a shorter string match i.e. if the rule is “net” then this will block access to any sites that have the text “net” in any part of the FQDN or “.net” as the FQDN suffix.
*.corporate.com – This is an invalid rule. Wildcard “*” and other regular expressions cannot be used in any part of the FQDN.
“www.corporate.com/games” - This is an invalid rule. The filter cannot parse and block access on text after the FQDN, i.e., in this example it cannot filter the micro-site “/games”.
Many global organizations have both a “.com” suffix and country specific suffix such as “.co.uk”, “.fr”, “.au”.etc. To block access to, for example, the host web server in all regional specific web sites for an organization, a rule like “www.corporate” could be used.
Many global organizations use distributed content delivery networks such as Akamai. In such cases creating a rule such as “www.corporate.com” may not prevent access to the entire site. Further investigation of the content network behavior may need to be undertaken to fully prevent access.
When using Port based rules:
There is no distinction between the TCP and UDP protocols, so care should be taken if wishing to block a specific application port as that will apply to both IP protocols and may inadvertently block another application using the other protocol.
To create an Application Denial Policy:
Go to Configure > Access Control.
Expand the Application Recognition and Filtering section.
In Application Denial Policy, click Create New to create a new policy.
Enter a Name and optionally a Description for the policy.
In Rules, click Create New to create a new rule for this policy.
In Application, Select HTTP Domain Name or Port.
In Description, enter the domain name or port number for the application you want to block.
Click Save to save the rule, and click OK to save the policy.
Applying an Application Denial Policy to a WLAN
Once an Application Denial Policy is created, use the following procedure to apply it to one or more WLANs:
Go to Configure > WLANs, and click Edit next to the WLAN you want to configure.
Expand the Advanced Options section, and locate the Application Visibility section.
Ensure that the Enable check box is enabled.
Select the policy you created from the Apply Policy Group list.
Click OK to save your changes.