Overview
- Apple, in a support document published Tuesday, said upcoming releases may refuse connections to servers that use outdated or non‑compliant TLS settings across iOS, iPadOS, macOS, watchOS, tvOS, and visionOS.
- The guidance urges developers and IT administrators to audit and fix internal and vendor‑managed servers ahead of the expected fall rollout to avoid service failures when enforcement begins.
- To comply, servers must support TLS 1.2 or later, with Apple recommending TLS 1.3, use App Transport Security–approved cipher suites, and present certificates that meet ATS requirements.
- Servers limited to TLS 1.2 also need Perfect Forward Secrecy via ECDHE, AES‑GCM cipher suites with SHA‑256, SHA‑384, or SHA‑512, and the extended master secret extension defined in RFC 7627.
- Admins can validate setups by installing Apple’s Network Diagnostics Logging Profile on devices running iOS 26.4 or later and running typical workflows such as MDM, Declarative Device Management, Automated Device Enrollment, configuration profile installs, enterprise app distribution, and software updates.