The recent release of macOS 15, codenamed Sequoia, on September 16, 2024, has triggered a wave of network connection issues for users employing various security solutions, VPNs, and browsers. This development has raised significant concerns in the cybersecurity community, with major players like CrowdStrike, Microsoft, and ESET reporting compatibility problems with the new operating system.
Impact on Endpoint Detection and Response (EDR) Solutions
Users have reported substantial difficulties with EDR solutions following the Sequoia update. CrowdStrike Falcon and ESET Endpoint Security are among the affected products, experiencing functionality issues that compromise their effectiveness. These problems extend to firewalls, causing packet corruption and subsequent SSL failures in browsers, as well as rendering tools like wget and curl inoperable.
In response to these issues, CrowdStrike has taken the unusual step of advising its clients to delay upgrading to macOS 15. The company cited “changes in the internal network structures of macOS 15 Sequoia” as the primary reason for this recommendation, emphasizing the need for a fully compatible Mac sensor before proceeding with the update.
VPN Connectivity Challenges
The impact of the Sequoia update isn’t limited to EDR solutions. Users have also reported intermittent failures when connecting to Mullvad VPN and various corporate VPN products essential for remote work. These connectivity issues pose a significant risk to organizations relying on secure remote access for their workforce.
Root Cause Analysis
While Apple has yet to provide an official statement regarding these issues, the macOS 15 release notes offer a potential clue. The notes indicate that a specific function in the operating system’s firewall has been deprecated, which may be at the heart of the current problems.
The release notes state: “Application Firewall settings are no longer stored in a property list. If your app or workflow depends on modifying Application Firewall settings by editing /Library/Preferences/com.apple.alf.plist, you need to update it to use the socketfilterfw command-line tool instead (124405935).”
This change has been acknowledged by Google as the source of issues in Chromium, necessitating modifications to how Google Chrome detects Mac firewall settings.
Temporary Solutions and Vendor Responses
Several affected vendors have issued advisories and temporary solutions for users experiencing problems:
ESET
ESET recommends users navigate to System Settings -> Network -> Filters and temporarily remove ESET Network from the list. A system reboot should restore normal network connectivity and ESET product functionality. This solution is applicable only to Endpoint Security version 8.1.6.0 and above, and ESET Cyber Security version 7.5.74.0 and above.
Microsoft
Microsoft attributes the issue to macOS’s Stealth Mode, which prevents devices from responding to ping requests and connection attempts from closed TCP or UDP networks. The company suggests disabling Stealth Mode in the firewall settings as a workaround.
Security expert Patrick Wardle has criticized Apple’s decision to release macOS 15 despite prior knowledge of these issues, stating, “If you pride yourself on building secure systems, you have no business shipping software that breaks security tools.”
As the cybersecurity community grapples with these challenges, users are advised to exercise caution when considering an upgrade to macOS 15 Sequoia. Organizations should carefully assess the potential impact on their security infrastructure and consider delaying the update until vendors provide fully compatible solutions. This situation underscores the critical importance of thorough testing and collaboration between operating system developers and security solution providers to ensure a seamless and secure user experience.
