# Apple's New Security Requirements for MDM Connections Starting with **Apple OS 27** (iOS, iPadOS, macOS, watchOS, tvOS, and visionOS), Apple requires all MDM connections to use modern and secure HTTPS communication. **Note:** This is not a concern for Cloud customers, as the cloud environment already supports TLS 1.3 and meets Apple's security requirements. For **On-Premises customers**, the MDM / Endpoint Central server must meet the following requirements: - TLS 1.2 or higher enabled (TLS 1.3 recommended) - Complete HTTPS communication between the device and the server - Server certificates must use **RSA 2048** or **ECC 256** with **SHA256** hashing - Only strong cipher suites are allowed (AES 128 / AES 256 with ECDHE/RSA) --- **Note:** Before checking whether your server meets Apple's security requirements, complete the prerequisite below. ## Prerequisite: Enable HTTPS on the Server HTTPS must be enabled on the MDM / Endpoint Central server before you run any validation. To enable HTTPS, go to: `Admin → Security Settings → Enable HTTPS` ![Mobile Device Manager Plus - Enable HTTPS](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/1779347421932.png) Once enabled, restart the server to apply the changes. After HTTPS is enabled, you can validate the server using either of the two methods below. We recommend starting with **Method 1**, which uses a Mac device. --- ## Method 1: Validate the Server Using a Mac Follow the steps below to export the MDM / Endpoint Central server certificate, trust it on the Mac, and then run the validation command. ### Export the Server Certificate #### Method 1: Export the certificate from the browser 1. Open **Google Chrome** on the Mac. 2. Navigate to the MDM / Endpoint Central server URL. 3. Click **Not Secure** in the address bar. 4. Click **Certificate is not valid**. ![Mobile Device Manager Plus - Certificate Viewer](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/1779347895779.png) 5. In the certificate window: - Go to the **Details** tab. - Click **Export**. - Save the certificate to the Desktop. #### Method 2: Retrieve the certificate directly from the server Navigate to the `\nginx\conf` directory and copy the `server.crt` file, which is the server certificate file. ### Trust the Certificate in Keychain 1. Open **Keychain Access** on the Mac. 2. Go to the **System** keychain. 3. Drag and drop the exported certificate into the certificate list. 4. Double-click the imported certificate. 5. Expand the **Trust** section. 6. Set **When using this certificate** to **Always Trust**. ![Mobile Device Manager Plus - Trust Certificate 1](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/trustt_1.png) ![Mobile Device Manager Plus - Trust Certificate 2](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/trust_2.png) After trusting the server certificate on the Mac, open the **Terminal** application and copy-paste the following command to validate the server connection: ``` nscurl --ats-diagnostics https:/// ``` **Example:** ``` nscurl --ats-diagnostics https://10.51.210.170:9383 ``` After running the command, check the result. If the output shows **"PASS"**, the server meets the required security and connectivity requirements. ![ATS Diagnostics Result - PASS](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/1779348536473.png) --- ## Method 2: Validate the Server Using an iOS or iPadOS Device You can also validate whether the MDM / Endpoint Central server meets Apple's new TLS and HTTPS security requirements by using an iOS or iPadOS device and reviewing the generated network diagnostic logs. ### Step 1: Install the Network Diagnostics Logging Profile Download the **Network Diagnostics Logging Profile** for the respective iOS or iPadOS test device and install it on the device. ![Mobile Device Manager Plus - Network Diagnostics Logging Profile](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/nd_.png) After installing the profile: - Restart the test device. - Restart the MDM / Endpoint Central server to apply the changes. ![Mobile Device Manager Plus - Network Diagnostics Logging Profile](https://cdn.manageengine.com/sites/meweb/images/mobile-device-management/images/1779446825678.png) ### Step 2: Perform Normal MDM Workflows Enroll the iOS or iPadOS device into the MDM / Endpoint Central server and perform regular management operations such as: - Device Scan - Remote Lock - Associate/Dissociate profiles - Distribute Apps - Execute any other workflows commonly used in your environment This generates the required MDM communication logs for validation. ### Step 3: Collect a sysdiagnose Log After completing the workflows, collect a **sysdiagnose** log from the iOS or iPadOS device. To generate the sysdiagnose: - Simultaneously press and release both **Volume** buttons and the **Side** (or **Top**) button for approximately 250 milliseconds. Alternatively: - Use **AssistiveTouch** to trigger the sysdiagnose collection. Wait approximately **10 minutes** for the diagnostic collection to complete. For device-specific instructions, refer to [Apple's documentation](https://it-training.apple.com/tutorials/support/sup075/). ### Step 4: Locate the sysdiagnose File On the iOS or iPadOS device, navigate to: `Settings → Privacy → Analytics & Improvements → Analytics Data` Locate the generated sysdiagnose file near the bottom of the list. The file name will be similar to: ``` sysdiagnose_YYYY.MM.DD_HH-MM-SS-XX ``` ### Step 5: Transfer the sysdiagnose File Transfer the sysdiagnose file to a Mac device using: - AirDrop - Email - Any secure file transfer method ### Step 6: Review the Logs Extract the `.tar.gz` sysdiagnose archive on the Mac device. Open **Terminal** inside the extracted sysdiagnose folder and run the following command to filter the relevant ATS and TLS validation logs: ``` log show --archive system_logs.logarchive --info -P "p=appstoreagent|appstored|managedappdistributionagent|managedappdistributiond|ManagedClient|ManagedClientAgent|mdmclient|mdmd|mdmuserd|MuseBuddyApp|NanoSettings|Preferences|profiled|profiles|RemoteManagementAgent|remotemanagementd|Setup|'Setup Assistant'|'System Settings'|teslad|TVSettings|TVSetup|XPCAcmeService AND s=com.apple.network AND m:'ATS Violation'|'ATS FCPv2.1 violation'" ``` ### Step 7: Verify the Result If the server does not meet Apple's TLS and HTTPS security requirements, the logs will contain warnings such as: - `Warning [ATS Violation]` - `Warning [ATS FCPv2.1 violation]` If **no warning entries** are present in the output, the MDM / Endpoint Central server successfully meets Apple's new TLS security requirements for Apple OS 27 devices. If the logs show `Warning [ATS Violation]` or `Warning [ATS FCPv2.1 violation]`, the server does **not** meet Apple's new security requirements. In this case, ensure HTTPS is enabled, TLS 1.2 or TLS 1.3 is configured, and the server uses a supported SSL certificate and cipher suite. --- ## Resolution: If the Server Does Not Meet the Requirements If the validation result indicates that your server does not meet Apple's new security requirements, follow the resolution steps below based on your server and OS version. **1. If your server or OS is below the supported version:** Servers running older operating systems such as **Windows Server 2012 or earlier**, or **Windows 8 or earlier**, may not support these requirements and can prevent Apple devices on OS 27 from connecting to the server. In this case, upgrade the server to a supported OS version to ensure compatibility. **2. If your server and OS are already on a supported version but the validation still fails:** Contact our support team at [mdm-support@manageengine.com](mailto:mdm-support@manageengine.com) for further assistance with compatibility validation or troubleshooting.