Enterprise TLS warning

Apple is warning companies that upcoming iPhone, iPad, Mac, Watch, TV, and Vision Pro software releases may stop talking to servers that still use outdated Transport Layer Security settings. (support.apple.com) Transport Layer Security, or TLS, is the lock on an internet connection: it encrypts traffic and verifies the server on the other end. Apple said affected servers must support TLS 1.2 or later, use App Transport Security-compliant ciphersuites, and present certificates that meet App Transport Security standards. (developer.apple.com, support.apple.com) The warning is aimed at information-technology administrators and device-management vendors, not ordinary app users. Apple said the stricter checks apply to connections used for mobile device management, Declarative Device Management, Automated Device Enrollment, configuration profile installation, app installation including enterprise app distribution, and software updates. (support.apple.com) Mobile device management is the system companies use to enroll work phones and laptops, push settings, install apps, and enforce security rules. If those back-end servers still accept TLS 1.0 or 1.1, devices on the next major Apple operating systems could fail to enroll, fetch profiles, install internal apps, or complete some update-related tasks. (support.apple.com, developer.apple.com) Apple has been moving toward this cutoff for years. The company said TLS 1.0 and 1.1 were deprecated on Apple platforms starting with iOS 15, iPadOS 15, macOS 12, watchOS 8, and tvOS 15, and that support would be removed in future releases. (developer.apple.com) App Transport Security, or ATS, has long been Apple’s baseline for app connections made through standard system networking tools. Apple said ATS is on by default for apps linked against the iOS 9 or macOS 10.11 software development kits and blocks connections that do not meet minimum security requirements. (developer.apple.com) The new advisory extends that stricter posture to system processes that enterprises depend on behind the scenes. Apple told administrators to audit every environment that could hit different servers, including production, staging, and test systems, and to check different device roles and enrollment types. (support.apple.com) Apple also published a testing path before the cutoff arrives. The company said admins should install its Network Diagnostics Logging Profile on test devices running version 26.4 or later of iOS, iPadOS, macOS, watchOS, tvOS, or visionOS, then run normal workflows and inspect the logs for non-compliant connections. (support.apple.com) There are a few carveouts. Apple said connections to a Simple Certificate Enrollment Protocol server during profile installation or Declarative Device Management asset resolution, and connections to content-caching servers, are not covered by this change. (support.apple.com) The practical deadline is the next major Apple software cycle, even though Apple did not name a final release date in the support note. For companies with older appliance software, outsourced hosting, or legacy certificate chains, the work starts now because the devices will be the side that refuses the connection. (support.apple.com)