Starting with Apple OS 27 (iOS, iPadOS, macOS, watchOS, tvOS, and visionOS), Apple requires all MDM connections to use modern and secure HTTPS communication.
For On-Premises customers, the MDM / Endpoint Central server must meet the following requirements:
HTTPS must be enabled on the MDM / Endpoint Central server before you run any validation.
To enable HTTPS, go to:
Admin → Security Settings → Enable HTTPS

Once enabled, restart the server to apply the changes.
After HTTPS is enabled, you can validate the server using either of the two methods below. We recommend starting with Method 1, which uses a Mac device.
Follow the steps below to export the MDM / Endpoint Central server certificate, trust it on the Mac, and then run the validation command.

Navigate to the <Installation_Directory>\nginx\conf directory and copy the server.crt file, which is the server certificate file.


After trusting the server certificate on the Mac, open the Terminal application and copy-paste the following command to validate the server connection:
nscurl --ats-diagnostics https://<your-server>/Example:
nscurl --ats-diagnostics https://10.51.210.170:9383
You can also validate whether the MDM / Endpoint Central server meets Apple's new TLS and HTTPS security requirements by using an iOS or iPadOS device and reviewing the generated network diagnostic logs.
Download the Network Diagnostics Logging Profile for the respective iOS or iPadOS test device and install it on the device.

After installing the profile:

Enroll the iOS or iPadOS device into the MDM / Endpoint Central server and perform regular management operations such as:
This generates the required MDM communication logs for validation.
After completing the workflows, collect a sysdiagnose log from the iOS or iPadOS device.
To generate the sysdiagnose:
Alternatively:
Wait approximately 10 minutes for the diagnostic collection to complete.
For device-specific instructions, refer to Apple's documentation.
On the iOS or iPadOS device, navigate to:
Settings → Privacy → Analytics & Improvements → Analytics Data
Locate the generated sysdiagnose file near the bottom of the list.
The file name will be similar to:
sysdiagnose_YYYY.MM.DD_HH-MM-SS-XXTransfer the sysdiagnose file to a Mac device using:
Extract the .tar.gz sysdiagnose archive on the Mac device.
Open Terminal inside the extracted sysdiagnose folder and run the following command to filter the relevant ATS and TLS validation logs:
log show --archive system_logs.logarchive --info -P "p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'"If the server does not meet Apple's TLS and HTTPS security requirements, the logs will contain warnings such as:
Warning [ATS Violation]Warning [ATS FCPv2.1 violation]Warning [ATS Violation] or Warning [ATS FCPv2.1 violation], the server does not meet Apple's new security requirements. In this case, ensure HTTPS is enabled, TLS 1.2 or TLS 1.3 is configured, and the server uses a supported SSL certificate and cipher suite.If the validation result indicates that your server does not meet Apple's new security requirements, follow the resolution steps below based on your server and OS version.