Networking changes coming in macOS 27
Apple seldom gives advanced notice of significant changes coming in the next major version of macOS, before its first beta-release at WWDC. One significant exception to this are changes to networking that could impact enterprise users. This year, with just over six weeks to go before that first beta of macOS 27, we already have two warnings of what might be coming.
AFP and network storage
Apple made SMB its primary file-sharing protocol in OS X 10.9 Mavericks, over 12 years ago, and has repeatedly told us that support for its predecessor AFP will be removed in the future. It repeated those warnings with macOS Sequoia 15.5, but still hasn’t confirmed when AFP will be lost.
Those who are most likely to be affected by this are still using Time Capsules, or elderly NAS systems that don’t support SMB3. As removal of AFP support won’t be retrospective, provided that none of your Macs will be upgraded to macOS 27, you’ll still be able to use AFP for your file shares and Time Machine backups. But if you have an Apple silicon Mac and AFP support is dropped from macOS 27, that would leave you unable to upgrade without replacing your network storage.
TLS and servers
Most recently, Apple has warned that a future version of macOS, and its device OSes, will require connections to certain servers to be made using at least TLS 1.2, with additional requirements. I’m grateful to Rich Trouton’s Der Flounder blog for drawing attention to this.
Although Apple carefully avoids being too specific, it warns that this change could come “as early as the next major software release”, although one of the purposes behind its support article is to gauge the impact the change might have on its enterprise customers. If there would be major problems, it may decide to delay its introduction.
This change is more technical, and largely applies to servers involved in supporting MDM, DDM, Automated Device Enrolment, app distribution and installation, and Apple software updates. Fortunately, if you run a local Content Caching server, that won’t be affected.
Unlike the removal of AFP, it’s far harder to tell whether a connection to a server complies with the new rules, which require:
- support for TLS 1.2 or later, with TLS 1.3 recommended,
- use of ATS-compliant ciphersuites,
- presentation of valid certificates meeting ATS standards.
The most reliable way to check is to audit connections made to each server, by screening log entries from the Mac or device. That’s further complicated by the fact that the log doesn’t normally gather the information that’s required. So the first step is to install a network diagnostics logging profile available from Apple. The support article explains how to collect a logarchive using sysdiagnose, and provides a monster predicate to extract relevant entries:
"p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|
mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|
remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'"
And yes, Apple is encouraging system administrators to copy and paste a command into Terminal, because there’s no GUI app in macOS that could be used to do that, although you can use it in Ulbow, and I suspect in LogUI with a little modification.
If you’re within the scope of this proposed change, you’ll need to read Rich Trouton’s account, and Apple’s full article. I wish you the best of luck. As with AFP, this change shouldn’t apply retrospectively.
Timescale
- 27.0 developer beta due on 8 June 2026
- 27.0 public beta due around 8 July 2026
- 27.0 release most probably in mid-September 2026, only five months away.
Related
Posted in Macs, Technology and tagged AFP, file sharing, macOS 27, MDM, NAS, networking, SMB, Time Capsule, TLS. Bookmark the permalink.9Comments
Add yours-
1
Metin on April 23, 2026 at 10:52 am Reply
Does Apple say anything about dropping SHA1 support in SSL handshakes? I’ve seen issues with my old OS X Server, which I am still running for very specific purposes, with some software rejecting to connect, not because of the TLS version (1.2 is supported), but because of the outdated SHA1 algorithm used during handshake – which seems to be baked into the openSSL/LibreSSL version. I would expect that Apple will no longer support SHA1 in the upcoming macOS versions.
LikeLiked by 1 person
-
2
hoakley on April 23, 2026 at 11:24 am Reply
Are you going to be using that for device management, Apple software updates, or another of the purposes specified, with Macs or devices running OS 27?
As far as I can see, SHA-2 is required now – it certainly is in TLS 1.3.
Howard.LikeLike
-
3
I’m still using the DNS server and LDAP in Server.app. However, since some apps have recently begun to refuse talking with the LDAP over TLS, I am currently in the process of finally migrating these last two services away from the good old OS X Server.
I’m really sorry that Apple has decided to drop that product. It was so convenient.
LikeLiked by 1 person
-
4
Neither of those services are affected by this change.
HowardLikeLike
-
5
I doubt they are making differences wrt what app or service initiated the TLS handshake. As far as I know it is a requirement in LibreSSL library. But let’s see.
LikeLiked by 1 person
-
4
-
3
-
2
-
6
Brian on April 23, 2026 at 4:22 pm Reply
Thanks for the information about AFP. For Macs not going to Tahoe, is there a disadvantage to share Mac network volumes with AFP by turning off the SMB option? SMB has had some speed and other issues for me, and I wonder if AFP would be better.
LikeLiked by 1 person
-
7
For Intel Macs, that should be fine. I wouldn’t expect miracles with AFP, though.
Howard.LikeLike
-
7
-
8
Rob on April 27, 2026 at 4:03 pm Reply
So if updates are not performed, are the managed devices locked, or free of lock?
LikeLiked by 1 person
-
9
I’m sorry, I don’t know. I presume they would be in the same state that they would be for any other network failure to update.
Howard.LikeLike
-
9
Leave a comment Cancel reply
Δ