Prepare your network environment for stricter security requirements
Apple operating systems will require stricter network security for system processes. Check whether your server connections meet the new requirements.
This article is intended for IT administrators and device management service developers.
Starting as early as the next major software release, Apple operating systems (iOS, iPadOS, macOS, watchOS, tvOS, and visionOS) might refuse connections to servers with outdated or non-compliant TLS configurations due to additional network security requirements.
You should audit your environment to identify servers that don't meet these requirements. Updating server configurations to meet these requirements might require significant time, especially for servers maintained by external vendors.
Affected connections and configuration requirements
The new requirements apply to network connections directly involved in the following activities:
Mobile device management (MDM)
Declarative Device Management (DDM)
Automated Device Enrollment
Configuration profile installation
App installation, including enterprise app distribution
Software updates
Exceptions: Network connections to a SCEP server (while installing a configuration profile or resolving a DDM asset) and content caching servers (even when requesting assets related to app installation or software updates) aren't affected.
Requirements: Servers must support TLS 1.2 or later, use ATS-compliant ciphersuites, and present valid certificates that meet ATS standards. For complete network security requirements, reference the developer documentation:
Audit your environment for non-compliant connections
Use test devices to identify server connections in your environment that don't meet the new TLS requirements.
Plan your test coverage
Different device configurations might connect to different servers. To make sure that your audit has complete coverage, test all configurations that apply to your environment.
Environment: Production, staging, test
Device type: iPhone, iPad, Mac, Apple Watch, Apple TV, Apple Vision Pro
Role: User group (sales, engineering, accounting), kiosk device, shared device
Enrollment type: Automated Device Enrollment, account-driven enrollment, profile-driven Device Enrollment, Shared iPad
Repeat the following audit steps for each configuration that connects to different servers.
Install the Network Diagnostics Logging Profile
Download and install the Network Diagnostics Logging Profile on a representative test device running iOS 26.4, iPadOS 26.4, macOS 26.4, watchOS 26.4, tvOS 26.4, or visionOS 26.4, or later, to enable logging. After installing the profile, restart your test device.
To make sure that log events contain the necessary details for identifying non-compliant connections, this profile must be installed before you perform any testing. If you are testing Automated Device Enrollment on an iPhone or iPad, use Apple Configurator for Mac to install the profile before the device reaches the Device Management pane in Setup Assistant.
Run your normal workflows
Use the test device as you normally would in your environment. Enroll it in device management, install apps and profiles, and perform any other workflows that connect to your organization's servers.
The goal is to generate network traffic to all servers that might be affected by the new TLS requirements.
Collect a sysdiagnose
After running your workflows, collect a sysdiagnose from the test device. This diagnostic archive contains the log events that you need to identify non-compliant connections.
Device-specific instructions for collecting a sysdiagnose
Review the logs
Transfer the sysdiagnose to a Mac and expand the .tar.gz file. Using Terminal, navigate to the top-level directory within the expanded sysdiagnose and filter for relevant log events with this command:
log show --archive system_logs.logarchive --info -P "p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'"
Each log event includes three key details:
Domain: The domain of the server for this connection event.
Process: The process that made the connection, which helps you determine the purpose of the network connection to that domain.
Warning: The constraint that was violated by the connection and how the server is noncompliant (a single connection might emit multiple warnings if the server doesn't meet multiple requirements).
Interpreting warning logs
The following log messages indicate servers that don't meet the new TLS requirements. Violations are marked as either general ATS policy violations ("Warning [ATS Violation]") or specific FCP v2.1 standard violations ("Warning [ATS FCPv2.1 violation]").
If these logs are emitted by a process connecting to a server specific to your enterprise, then those servers must be updated to meet the new requirements.
Log message | Meaning | Remediation |
|---|---|---|
Warning [ATS violation]: Ciphersuite([negotiated ciphersuite]) not offered in ATS negotiated for server: www.example.com | The server negotiated a non-PFS ciphersuite that is not offered when the client enforces ATS. | Servers must support PFS ciphersuites (any TLS 1.3 ciphersuite and TLS 1.2 ciphersuites with ECDHE). |
Warning [ATS violation]: TLS version <1.2 negotiated for server: www.example.com | The server negotiated a version of TLS older than TLS 1.2. TLS 1.0/1.1 are deprecated and already not offered by default. | Update servers to negotiate TLS 1.3 whenever possible (minimally TLS 1.2). |
Warning [ATS Violation]: ATS certificate trust requirement not satisfied for server: www.example.com | The server's certificate did not pass default server trust evaluation because it did not meet the minimum requirements outlined here. | Update the server's certificate to meet these requirements. If the certificate is in the auto-enrollment profile anchor certificates, then remediation isn't required. |
Warning [ATS violation]: RSA key size [n] bits is less than minimum 2048 bits for server: www.example.com | The server's certificate was signed with an RSA key that is smaller than 2048 bits. | Update the server's certificate to meet these requirements. |
Warning [ATS violation]: ECDSA key size [n] bits is less than minimum 256 bits for server: www.example.com | The server's certificate was signed by an ECDSA key that is smaller than 256 bits | |
Warning [ATS violation]: Leaf certificate hash algorithm (n) is not at least SHA-256 for server: www.example.com | The server's certificate did not use a Secure Hash Algorithm 2 (SHA-2) with digest length at least 256 bits. | |
Warning [ATS violation]: Did not use TLS when opening connection for server: www.example.com | Plaintext HTTP was used instead of HTTPS. | Update the server to support HTTPS. |
Warning [ATS FCPv2.1 violation]: Signature algorithm rsa_pkcs15_sha1 negotiated by server: www.example.com | The server chose rsa_pkcs15_sha1 as the signature_algorithm. | Update configuration to prefer modern signature algorithms. |
Warning [ATS FCPv2.1 violation]: Server certificate signed using signature algorithm [signature algorithm] not advertised in ClientHello for server: www.example.com | The server's certificate was signed using a signature algorithm not advertised in the ClientHello. | Update the server's certificate to be signed using a signature algorithm that has a TLS codepoint and is not rsa_pkcs15_sha1. |
Warning [ATS FCPv2.1 violation]: TLS 1.2 negotiated without extended master secret (EMS) for server: www.example.com | The server negotiated TLS 1.2 and did not negotiate the extended master secret (EMS) extension. | Update servers to use TLS 1.3 or, at a minimum, update their TLS 1.2 configuration to negotiate EMS. |
Validate individual servers
After identifying non-compliant servers in the audit, you can test them individually to verify specific violations or confirm that remediation was successful.
Run the following command, replacing "https://example.com:8000" with your server or endpoint.
nscurl --ats-diagnostics https://example.com:8000/
This command tests whether the server meets requirements for various combinations of ATS policies. Look for the test result using ATS with FCP_v2.1 mode enabled:
Configuring NIAP TLS package version requirements
---
FCP_v2.1
Result : PASS
---
If the result is “PASS”, the server meets all requirements.
Learn more about identifying the source of blocked connections
Remediation
Work with the owners of the affected servers to update their TLS configurations. Server owners might be internal, your device management service, or a third party vendor.
When contacting a server owner for remediation, share this article and the specific warning messages that you observed.
Remediation might include the following:
Update servers to support TLS 1.2 or later (TLS 1.3 is recommended)
For servers only supporting TLS 1.2, they must minimally support key exchange algorithms that provide Perfect Forward Secrecy (ECDHE), AEAD ciphersuites based on AES-GCM with SHA-256, SHA-384, or SHA-512, and the extended master secret extension (RFC 7627).
Update certificates to meet ATS requirements for key size, signature algorithm, and validity.
Additional Resources
Learn about preventing insecure network connections and App Transport Security
Contact your Customer Success Manager or AppleCare Enterprise Support for more assistance.