Network-security ratchet

Apple is warning that its next major operating systems may start refusing some server connections unless those servers meet newer encryption rules. (support.apple.com) The change applies as early as the next major releases of iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, and Apple published the notice on April 21, 2026. WWDC26 begins on Monday, June 8, and Apple says that is where it will reveal its latest platform updates. (support.apple.com) (developer.apple.com) The affected traffic is not every app connection on a device. Apple says the new checks cover system processes tied to mobile device management, Declarative Device Management, Automated Device Enrollment, configuration profile installation, app installation including enterprise distribution, and software updates. (support.apple.com) Transport Layer Security, or TLS, is the standard that encrypts data between a device and a server, like a sealed envelope for network traffic. Apple says the servers in scope will need to support TLS 1.2 or later, use App Transport Security-compliant cipher suites, and present valid certificates that meet App Transport Security standards. (support.apple.com 1) (support.apple.com 2) In Apple’s rules, that means forward secrecy is required by default, certificates must be signed with SHA-256 or stronger, and RSA keys shorter than 2048 bits are not allowed. Apple’s security guide says invalid certificates already cause a hard failure with no connection. (support.apple.com) The immediate audience is information-technology administrators and device-management vendors, not ordinary iPhone buyers. Apple says organizations should audit production, staging, and test environments because different device types, user roles, and enrollment methods can reach different servers. (support.apple.com) Apple is also telling teams to start the audit on devices running version 26.4 or later by installing a Network Diagnostics Logging Profile, restarting the device, reproducing managed workflows, and then reviewing the logs for non-compliant connections. Apple says outside vendors may need significant time to update old server configurations. (support.apple.com) There are a few carve-outs. Apple says connections to a Simple Certificate Enrollment Protocol server during profile installation or Declarative Device Management asset resolution, and connections to content caching servers, are not affected by this change. (support.apple.com) The notice fits a longer pattern in Apple’s platform security model. Its security documentation says App Transport Security has long pushed developers toward newer cipher suites and stronger certificates, while later releases blocked older technologies such as SSL 3, RC4-only connections, and many SHA-1 certificate uses. (support.apple.com) The practical deadline is before devices move to the next operating-system cycle this fall. Apple has now given enterprise teams a pre-WWDC checklist, and the message is that old certificate chains and legacy TLS settings may stop working when iOS 27 and macOS 27 arrive. (support.apple.com) (developer.apple.com)