Apple seldom gives advanced notice of significant changes coming in the next major version of macOS, before its first beta-release at WWDC. One significant exception to this are changes to networking that could impact enterprise users. This year, with just over six weeks to go before that first beta of macOS 27, we already have two warnings of what might be coming.
AFP and network storage
Apple made SMB its primary file-sharing protocol in OS X 10.9 Mavericks, over 12 years ago, and has repeatedly told us that support for its predecessor AFP will be removed in the future. It repeated those warnings with macOS Sequoia 15.5, but still hasn’t confirmed when AFP will be lost.
Those who are most likely to be affected by this are still using Time Capsules, or elderly NAS systems that don’t support SMB3. As removal of AFP support won’t be retrospective, provided that none of your Macs will be upgraded to macOS 27, you’ll still be able to use AFP for your file shares and Time Machine backups. But if you have an Apple silicon Mac and AFP support is dropped from macOS 27, that would leave you unable to upgrade without replacing your network storage.
TLS and servers
Most recently, Apple has warned that a future version of macOS, and its device OSes, will require connections to certain servers to be made using at least TLS 1.2, with additional requirements. I’m grateful to Rich Trouton’s Der Flounder blog for drawing attention to this.
Although Apple carefully avoids being too specific, it warns that this change could come “as early as the next major software release”, although one of the purposes behind its support article is to gauge the impact the change might have on its enterprise customers. If there would be major problems, it may decide to delay its introduction.
This change is more technical, and largely applies to servers involved in supporting MDM, DDM, Automated Device Enrolment, app distribution and installation, and Apple software updates. Fortunately, if you run a local Content Caching server, that won’t be affected.
Unlike the removal of AFP, it’s far harder to tell whether a connection to a server complies with the new rules, which require:
- support for TLS 1.2 or later, with TLS 1.3 recommended,
- use of ATS-compliant ciphersuites,
- presentation of valid certificates meeting ATS standards.
The most reliable way to check is to audit connections made to each server, by screening log entries from the Mac or device. That’s further complicated by the fact that the log doesn’t normally gather the information that’s required. So the first step is to install a network diagnostics logging profile available from Apple. The support article explains how to collect a logarchive using sysdiagnose, and provides a monster predicate to extract relevant entries:
"p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|
mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|
remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'"
And yes, Apple is encouraging system administrators to copy and paste a command into Terminal, because there’s no GUI app in macOS that could be used to do that, although you can use it in Ulbow, and I suspect in LogUI with a little modification.
If you’re within the scope of this proposed change, you’ll need to read Rich Trouton’s account, and Apple’s full article. I wish you the best of luck. As with AFP, this change shouldn’t apply retrospectively.
Timescale
- 27.0 developer beta due on 8 June 2026
- 27.0 public beta due around 8 July 2026
- 27.0 release most probably in mid-September 2026, only five months away.
The Eclectic Light Company 