
Use built-in network security features for Apple devices
Apple devices feature built-in network security technologies that authorise users and help protect their data during transmission. Apple device network security support includes:
- Built-in IPsec, IKEv2, L2TP 
- Custom VPN via App Store apps (iOS, iPadOS, visionOS) 
- Custom VPN via third-party VPN clients (macOS) 
- Transport Layer Security (TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3) and DTLS 
- SSL/TLS with X.509 certificates 
- WPA/WPA2/WPA3 Enterprise with 802.1X 
- Certificate-based authentication 
- Shared-secret and Kerberos authentication 
- RSA SecurID, CRYPTOCard (macOS) 
Network relays in iOS, iPadOS, macOS and tvOS
A built-in relay in devices with iOS 17, iPadOS 17, macOS 14 or tvOS 17, or later, can be used to secure traffic using an encrypted HTTP/3 or HTTP/2 connection as an alternative VPN. A network relay is a special type of proxy that is optimised for performance and uses the latest transport and security protocols. It can be used to secure the TCP and UDP traffic of a particular app, an entire device and when accessing internal resources. Multiple network relays can be used in parallel including iCloud Private Relay, with no app required. For more information, see Use network relays.
VPN and IPsec
Many enterprise environments have some form of virtual private network (VPN). These VPN services typically require minimal setup and configuration to work with Apple devices, which integrate with many commonly used VPN technologies.
iOS, iPadOS, macOS, tvOS, watchOS and visionOS support IPsec protocols and authentication methods. For more information, see VPN overview.
TLS
The SSL 3 cryptographic protocol and the RC4 symmetric cipher suite were deprecated in iOS 10 and macOS 10.12. By default, TLS clients or servers implemented with Secure Transport APIs don’t have RC4 cipher suites enabled. For this reason, they’re unable to connect when RC4 is the only cipher suite available. To be more secure, services or apps that require RC4 should be upgraded to enable cipher suites.
Additional security enhancements include:
- Required signing of SMB connections (macOS) 
- For a Mac with macOS 10.12 or later, support for AES as an encryption method for Kerberised NFS (macOS) 
- Transport Layer Security (TLS 1.2, TLS 1.3) - TLS 1.2 supports both AES 128 and SHA-2. 
- SSL 3 (iOS, iPadOS, visionOS) 
- DTLS (macOS) 
Safari, Calendar, Mail and other internet apps use these to enable an encrypted communication channel between iOS, iPadOS, macOS, and visionOS and corporate services.
You can also set the minimum and maximum TLS version for your 802.1X network payload with EAP-TLS, EAP-TTLS, PEAP and EAP-FAST. For example, you can set:
- Both to same specific TLS version 
- The TLS minimum version to a lower value and the TLS maximum version to a higher value, which would then be negotiated with the RADIUS server 
- A value of none, which would allow the 802.1X supplicant to negotiate the TLS version with the RADIUS server 
iOS, iPadOS, macOS and visionOS require the server’s leaf certificate to be signed using the SHA-2 family of signature algorithms and use either an RSA key of at least 2048 bits, or an ECC key of at least 256 bits.
Devices with iOS 11, iPadOS 13.1, macOS 10.13 or visionOS 1.1, or later, add support for TLS 1.2 in 802.1X authentication. Authentication servers that support TLS 1.2 may require the following updates for compatibility:
- Cisco: ISE 2.3.0 
- FreeRADIUS: Update to version 2.2.10 and 3.0.16. 
- Aruba ClearPass: Update to version 6.6.x. 
- ArubaOS: Update to version 6.5.3.4. 
- Microsoft: Windows Server 2012 - Network Policy Server. 
- Microsoft: Windows Server 2016 - Network Policy Server. 
For more information on 802.1X, see Connect Apple devices to 802.1X networks.
WPA2/WPA3
All Apple platforms support industry-standard Wi-Fi authentication and encryption protocols, to provide authenticated access and confidentiality when connecting to the following secure wireless networks:
- WPA2 Personal 
- WPA2 Enterprise 
- WPA2/WPA3 Transitional 
- WPA3 Personal 
- WPA3 Enterprise 
- WPA3 Enterprise 192-bit security 
To view a list of 802.1X wireless authentication protocols, see 802.1X configurations for Mac.
Hiding and locking apps
For devices with iOS 18 and iPadOS 18, or later, users can require Face ID, Touch ID or a passcode to open an app, and to hide it from the Home Screen. A device management service can manage the availability of these options by:
- Controlling a user’s ability to hide and lock Managed Apps on a per-app basis 
- Disabling hiding and locking all apps on supervised devices 
For devices that enrol with User Enrolment, the operating system reports hidden apps to a device management service only if they’re managed. For devices that enrol with Device Enrolment, the operating system reports hidden apps to a device management service as part of all installed apps.
Local network access for macOS
For a Mac with macOS 15 or later, a third-party app or launch agent that wants to interact with devices on a user’s local network needs to ask for permission the first time it tries to browse the local network.
As with iOS and iPadOS, users can go to System Settings > Privacy > Local Network to allow or deny this access.
FaceTime and iMessage encryption
iOS, iPadOS, macOS and visionOS create a unique ID for each FaceTime and iMessage user, helping to ensure that communications are encrypted, routed and connected properly.