What's new for enterprise in macOS Sequoia

Learn about the enterprise content that Apple has released for macOS Sequoia.

macOS updates improve the stability, performance, or compatibility of your device and are recommended for all users. Device administrators can manage software updates using a Mobile Device Management (MDM) solution.

For information about general improvements, learn about updates to macOS Sequoia.

For details about the security content of these updates, see Apple security releases.

macOS Sequoia 15.0

macOS Sequoia includes new features such as Safari extensions management, a new disk management configuration for external and network storage, and enhancements for software update management.

Device Management

• MDM can manage which Safari extensions are allowed, always on or always off, and what websites they can access.

• The new disk management configuration can be used to choose whether external or network storage is allowed or disallowed, or limit mounting to read-only volumes.

• Software updates can now be managed entirely with declarative device management, replacing the MDM profiles for software update restrictions, settings, and software update commands and queries.

• Executables, scripts, and launchd configuration files can be installed using MDM and stored in a secure and tamper-resistant location.

• The Profiles section of System Settings is renamed to Device Management and now appears in the General section.

• profiles renew -type enrollment no longer requires admin credentials if you are not already enrolled in MDM.

• New authentication options are available for Platform Single Sign-on.

• New configuration keys are available for the Kerberos SSO payload.

• MDM can prevent a Mac from mirroring any iPhone.

• MDM can prevent system extensions from being disabled in System Settings.

• The new Welcome to Mac screen can be skipped when using auto-advance or by using the Welcome skip key.

• MDM can configure the use of the hardware MAC address instead of a private MAC address on a managed Wi-Fi network. A privacy warning is shown when using the hardware MAC address because it allows tracking by Wi-Fi networks and nearby Wi-Fi devices.

• The EnableLogging and LoggingOption keys in the Firewall payload are deprecated and no longer necessary. Application Firewall logging is increased by default for the socketfilterfw process.

• Profile-based User Enrollment is no longer supported in macOS 15. For User Enrollment, sign in to a Managed Apple Account in Settings.

Bug fixes and other improvements

• A third-party app or launch agent that wants to interact with devices on a user’s local network must ask for permission the first time that it tries to browse the local network. This does not apply to launch daemons running as root. Similar to iOS and iPadOS, the user can go to System Settings > Privacy > Local Network to allow or deny this access giving users control over their privacy.

• dscl and dsimport will trigger privacy prompts when attempting to change home directory of a user. Previously this did not happen when a device was under MDM management. Apps can be pre-approved for SystemPolicySysAdminFiles access using MDM with a PrivacyPreferencesPolicyControl payload.

• Application Firewall settings are no longer contained in a property list. If your app or workflow relies on changing Application Firewall settings by modifying /Library/Preferences/com.apple.alf.plist, then you need to make changes to use the socketfilterfw command line tool instead.

• The new xprotect command can be used by administrators or users to manually invoke XProtect functionality.

• The Security Framework can now import PKCS12 files created with AES-256-CBC encryption.

• spctl can no longer be used to disable Gatekeeper.

• By default, the sudo command in macOS 15 does not have logging enabled. To enable logging for sudo, remove the line Defaults !log_allowed from the sudoers configuration file.

• DirectoryService plug-in support has been removed for third-party party plug-ins. Developers should migrate to Platform SSO.

• Performance is improved when running endpoint security extensions that use live detection.

• Automatic login is successfully enabled when using the LoginWindow payload to configure AutologinUsername and AutologinPassword for an existing user.

• When the RequireAdminForAirPortNetworkChange key is set to false in an MCX payload, "Require Administrator Authorization to Change Networks" is no longer enabled.

• Devices reconnect more reliably to managed hidden Wi-Fi networks.