Hands typing on a MacBook displaying a web browser — typical macOS development context (photo: Cottonbro / Pexels)

The networking changes coming in macOS 27 — and which workflows might quietly break

by

Howard Oakley’s eclectic-light blog flagged this week that the upcoming macOS 27 release brings a non-trivial reshuffle of how the OS handles networking — specifically the deprecation of a few long-standing low-level APIs and a tightening of how routing tables, VPN configurations, and per-app network entitlements interact. Most of the changes are improvements; a couple of them will quietly break workflows that have worked unchanged since macOS Mojave.

If you run a Mac as a developer workstation that talks to remote servers — or if your VPN setup is older than a few years — this is worth a careful read before the autumn release lands. The pieces I’d flag for testing now:

PF rules behavior is changing

The packet filter (pfctl) that ships with macOS has historically been a stripped-down OpenBSD pf. macOS 27 reportedly tightens which contexts can install pf rules, and adds a new entitlement requirement for apps that try. If you’ve been managing a custom /etc/pf.conf with anchors loaded by a launch daemon, that’s still fine. If you’re using a third-party “Mac firewall” app that injected rules via private API calls, expect breakage.

Test now: dump your current pf state, note any rules being installed by something other than your own scripts, and check the vendor’s macOS 27 readiness page. Rule auditing is straightforward:

sudo pfctl -sa | head -100
sudo pfctl -s rules
# What's loading them?
sudo pfctl -sl   # show loaded anchor list

Per-app proxy / VPN entitlements get stricter

This one is the bigger deal. Apple’s been moving toward a model where any app that wants to intercept network traffic — VPN clients, content filters, network extensions — needs an explicit System Extension and a user-granted entitlement. macOS 27 reportedly enforces this much more strictly: the older NetworkExtension APIs that mid-tier VPN clients have been getting away with for years are being deprecated, and some are stopping work entirely.

If your VPN client is one of the major ones (WireGuard official, Tailscale, Mullvad, NordVPN, etc.), you’re fine — those have been on the modern API for a while. If your VPN client is something corporate-managed and last meaningfully updated in 2022, you should be testing the macOS 27 beta on a spare machine right now, not in October.

DNS resolution path tweaks

The mDNSResponder internals are being refactored, with consequences for:

  • How /etc/hosts takes effect (the macOS-Tahoe-era “edit your hosts file, then run sudo dscacheutil -flushcache” still works, but the cache invalidation seems faster — a few seconds instead of immediate, and the timing matters if you’re scripting).
  • Encrypted DNS (DoH/DoT) being negotiated more aggressively. If you’re on a corporate network that mandates a specific DNS server and blocks DoH, your Mac may get into a state where it tries to use the corporate DNS over plain UDP and the public DNS over DoH simultaneously, with confusing results.
  • Bonjour/mDNS service-browse on link-local — a tightening of which apps can issue queries without the new “Local Network” prompt, similar to iOS’s behavior. If you have an app that scans your LAN for printers / Hue bulbs / NAS devices and the scan stops working, this is why.

SSH workflows: probably fine, with one footnote

SSH itself is unaffected — it’s just a TCP client and pf-allowed by default. The one thing to watch: if you’ve been using ProxyCommand with a custom shell script that fiddles with the routing table or shells out to route add, the route-table modifications now require a System Integrity Protection-aware tooling path. Most SSH-via-bastion setups don’t need this. The exotic ones (e.g. SSH through a VPN concentrator that requires a temporary route added on connect) might.

If you have a personal mesh VPN like Tailscale and use it for SSH access, no changes — Tailscale’s network extension is on the supported APIs.

What to do this month

  1. Install the macOS 27 beta on a spare Mac (or a VM, since Apple Silicon now supports macOS-on-macOS virtualization fairly well).
  2. Run your normal day-of-work network usage on it for a week. SSH, VPN, Docker / OrbStack, any local-network device pairing.
  3. Note anything that prompts for a permission you don’t recognize. Those prompts are the new entitlement model showing through; record what they ask for so you know what to expect on the production upgrade.
  4. If your corporate IT manages your VPN, ask them now whether the client they ship has been tested on the macOS 27 beta. Don’t wait until after the upgrade to find out.

Apple’s move toward stricter entitlements is the right one for security; it just keeps catching out workflows built when the OS was more permissive. The pattern repeats every few releases. Better to find out which of yours is fragile in May than in October.

Source: eclecticlight.co

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.