Prepare your institution for iOS 12 or macOS Mojave

If you're a system administrator, you should review this list and prepare for changes before updating to iOS 12 or macOS Mojave.

Changes introduced in iOS 12

  • MD5-signed leaf certificates, including those that were trusted in iOS 11 and earlier, are distrusted in iOS 12.
  • Apple products will completely distrust Symantec CAs as early as Fall 2018.
  • The Federal Common Policy Root CA has been removed from the iOS Trust Store. Organizations that require the Federal Common Policy Root CA can distribute it in a profile payload.
  • FTP and File URL schemes for Proxy Automatic Configuration (PAC) are deprecated. HTTP and HTTPS are the only supported URL schemes for PAC. This includes PAC URLs configured by a user in Settings, or by a configuration profile.

Changes introduced in macOS Mojave

  • MD5-signed leaf certificates, including those that were trusted in macOS High Sierra 10.13 and earlier, are distrusted in macOS Mojave.
  • Apple products will completely distrust Symantec CAs as early as Fall 2018.
  • The Federal Common Policy Root CA has been removed from the macOS Trust Store. Organizations that require the Federal Common Policy Root CA can distribute it in a profile payload.
  • FTP and File URL schemes for Proxy Automatic Configuration (PAC) are deprecated. HTTP and HTTPS are the only supported URL schemes for PAC. This includes PAC URLs configured by a user in System Preferences, or by a configuration profile.
  • 32-bit processes will trigger an alert on launch. To prevent the alert, create and install a custom configuration profile payload in the com.apple.coreservices.uiagent domain, setting the CSUIDisable32BitWarnings key to True.
  • For increased security, using the kickstart command to enable remote management on a Mac will only allow you to observe it when sharing its screen. If you wish to control the Mac while sharing its screen, enable remote management in System Preferences.
  • Using either the Full Security or Medium Security Secure Boot setting on your Mac computer that has the Apple T2 Security Chip will prevent your Mac from starting up into single-user mode. Boot into macOS Recovery instead.
  • You can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: