Network security for Apple devices
macOS features built-in network security technologies that authorize users and protects their data during transmission.
macOS network security supports:
Built-in Cisco IPSec, IKEv2, L2TP
SSL VPN via App Store apps
Transport Layer Security (TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3) and DTLS
SSL/TLS with X.509 certificates
WPA/WPA2 Enterprise with 802.1X
Shared-secret and Kerberos authentication
RSA SecurID, CRYPTOCard
FaceTime and iMessage encryption
iOS, iPadOS, and macOS create a unique ID for each FaceTime and iMessage user, ensuring that communications are encrypted, routed, and connected properly.
VPN and IPSec
Many enterprise environments have some form of virtual private network (VPN). These VPN services typically require minimal setup and configuration to work with Apple devices, which integrate with many commonly used VPN technologies.
iOS, iPadOS, and macOS support IPSec protocols and authentication methods. See Intro to VPN with Apple devices.
The SSL 3 cryptographic protocol and the RC4 symmetric cipher suite were deprecated in iOS 10 and macOS 10.12. By default, TLS clients or servers implemented with SecureTransport APIs don’t have RC4 cipher suites enabled, and so they’re unable to connect when RC4 is the only cipher suite available. To be more secure, services or apps that require RC4 should be upgraded to enable cipher suites.
Additional security enhancements apply:
TLS 1.2 supports both AES 128 and SHA-2.
SMB connections require signing by default.
macOS 10.12 or later supports AES as an encryption method for Kerberized NFS.
macOS supports Transport Layer Security (TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3) and DTLS. Safari, Calendar, Mail, and other Internet apps use these to enable an encrypted communication channel between macOS and corporate services.
You can also set the minimum and maximum TLS version for your 802.1X network payload with EAP-TLS, EAP-TTLS, PEAP, and EAP-FAST. For example, you can set:
Both to same specific TLS version.
The TLSMinimumVersion to a lower value and the TLSMaxmimumVersion to a higher value, which would then be negotiated with the RADIUS server.
A value of none, which would allow the 802.1X supplicant to negotiate the TLS version with the RADIUS server.
iOS, iPadOS, and macOS require the server’s leaf certificate to be signed using the SHA-2 family of signature algorithms and use either an RSA key of at least 2048 bits, or an ECC key of at least 256 bits.
iOS 11 or later, iPadOS 13.1 or later, and macOS 10.13 or later add support for TLS v1.2 in 802.1X authentication. Authentication servers that support TLS v1.2 may require updates for compatibility:
Cisco: ISE 2.3.0
FreeRADIUS: Update to version 2.2.10 and 3.0.16.
Aruba ClearPass: Update to version 6.6.x.
ArubaOS: Update to version 18.104.22.168.
Microsoft: Windows Server 2012 - Network Policy Server.
Microsoft: Windows Server 2016 - Network Policy Server.
All Apple platforms support industry-standard Wi-Fi authentication and encryption protocols, to provide authenticated access and confidentiality when connecting to the following secure wireless networks:
WPA3 Enterprise 192-bit security
With support for 802.1X, Mac computers can be integrated into a broad range of RADIUS authentication environments. macOS supports 802.1X wireless authentication protocols, including:
PEAPv0 (EAP-MSCHAPv2, the most common form of PEAP)
PEAPv1 (EAP-GTC, less common and created by Cisco)
The macOS Setup Assistant supports 802.1X authentication with user name and password credentials using TTLS or PEAP.