Networking changes coming in macOS 27
Source: Hacker News
Apple seldom gives advanced notice of significant changes coming in the next major version of macOS before its first beta release at WWDC. One notable exception is the networking changes that could impact enterprise users. With just over six weeks to go before the first beta of macOS 27, we already have two warnings of what might be coming.
AFP and network storage
Apple made SMB its primary file‑sharing protocol in OS X 10.9 Mavericks, over 12 years ago, and has repeatedly warned that support for its predecessor AFP will be removed in the future. The warning was reiterated with macOS Sequoia 15.5, but Apple has not confirmed when AFP will be dropped.
Those most likely to be affected are still using Time Capsules or older NAS systems that don’t support SMB 3. Because removal of AFP support won’t be retrospective, as long as none of your Macs are upgraded to macOS 27 you’ll still be able to use AFP for file shares and Time Machine backups. However, if you have an Apple‑silicon Mac and AFP support is dropped from macOS 27, you would be unable to upgrade without replacing your network storage.
TLS and servers
Most recently, Apple has warned that a future version of macOS (and its device OSes) will require connections to certain servers to use at least TLS 1.2, with additional requirements. Rich Trouton’s Der Flounder blog drew attention to this:
“A future version of macOS … will require connections to certain servers to be made using at least TLS 1.2, with additional requirements.”
—Apple support article
Apple avoids being too specific but notes that the change could arrive “as early as the next major software release.” The purpose of the support article is to gauge the impact on enterprise customers; if major problems arise, Apple may delay the rollout.
The change mainly affects servers that support MDM, DDM, Automated Device Enrollment, app distribution and installation, and Apple software updates. A local Content Caching server won’t be affected.
Unlike the removal of AFP, it’s harder to determine whether a server connection complies with the new rules, which require:
- Support for TLS 1.2 or later (TLS 1.3 recommended)
- Use of ATS‑compliant cipher suites
- Presentation of valid certificates meeting ATS standards
The most reliable way to check is to audit connections by reviewing log entries from the Mac or device. Because macOS logs don’t normally capture the needed details, the first step is to install a network diagnostics logging profile from Apple. The support article explains how to collect a log archive using sysdiagnose and provides a predicate to extract relevant entries:
p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|
mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|
remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'Apple encourages system administrators to copy and paste a command into Terminal, as there is no GUI app for this task (though it can be used in tools like Ulbow or, with modification, LogUI).
If you fall within the scope of this proposed change, you’ll need to read:
- Rich Trouton’s account: Apple enforcing stricter network security requirements for future versions of Apple’s platform operating systems
- Apple’s full article: Support article 126655
As with AFP, this change should not apply retrospectively.
Timescale
- 27.0 developer beta due on 8 June 2026
- 27.0 public beta due around 8 July 2026
- 27.0 release most likely in mid‑September 2026 (approximately five months away)