Summary of Cato macOS Client Releases

• The tray icon highlights whether the Client has secure Private access, secure Internet access, or both

• Quicker detection of WiFi network changes

• Bug fixes

• Known limitation

• Support for a fully silent installation, including EULA suppression

• Stability improvements

• Security updates

• Bug fixes

• Support for macOS Tahoe 26.

• Stability improvements

• Security updates

• Bug fixes

• Support for remote internet security with one-time authentication. This enables users to always have connectivity and protection with minimal interaction with the Client. Previously supported only for the Windows client. To see if this impacts your users, read our FAQ.

• An updated user interface that now includes more connectivity details

  

• Performance enhancements and bug fixes

• Prevent installation of the Client on unsupported versions. This includes any macOS version prior to macOS 13.3 (Ventura).

• Bug fixes and known limitations

• Support for the following DEM enhancements:

  • Underlay Performance Monitoring in Socket Last Mile: Identify and diagnose out-of-tunnel issues that could impact last-mile performance

  • Group Multiple Devices: DEM hardware metrics are now grouped by device name, helping you easily understand the performance of each device when there are multiple devices for the same user

  • Support for Different LAN Gateways: LAN gateway probes are now grouped by LAN gateway IP, letting you easily understand the performance of each LAN gateway when different gateways are present at different timeframes

• Record Client Issues: An additional troubleshooting tool that lets users record and then reproduce an issue that occurred with the Client. The traffic capture and log files can be uploaded to Support for further analysis.

  • This feature and the existing ability to send logs to Support are available on the new Support tab in the Client

• Updated OPSWAT OESIS Framework: We updated the OPSWAT OESIS framework used by the Client to version 4.3.3685

• Critical bug fixes for Device Posture to support macOS v15.2 (Sequoia)

  • Cato discovered issues when using earlier versions of the macOS Client on Sequoia while using Device Posture

    • Upgrade your macOS Client to v5.8.5 before upgrading your device to Sequoia

    • If you have already upgraded your OS version to macOS Sequoia, contact Customer Support to get the Client v5.8.5 release

• macOS Client v5.8 includes a security patch that fixes CVE-2025-3886

• Bug fixes and enhancements

• IPv6 Support for Last Mile Connection: Users can connect remotely over ISPs that provide last-mile IPv6-only connections. Both IPv6 and IPv4 connections are now supported.

• User Notifications for CASB and DLP: The device displays a notification to the user when their activity is blocked by App Control or Data Control rules. This educates the user about which app was blocked and why.

• End User Feedback: To help us continually improve our remote access, users can now provide feedback to Cato from within the Client.

  • Every few months, users are prompted to give a rating and comments

  • Users can also manually provide feedback at any time

• End of Support for Big Sur: Devices running Big Sur (macOS 11) are no longer supported by the macOS Client

• New Cato Root Certificate: We added a new root certificate that is automatically installed on the device with the Cato Client.

  • The new certificate is called Cato Networks Root CA and expires in March 2034.

  • The previous certificate is from 2015 and is called Cato Networks CA. It will expire in Oct 2025.

• Bug fix:

  • If a login attempt failed, in some cases users were unable to connect to the network

• Device Posture Check for Disk Encryption: You can now include a check for Disk Encryption within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and Security policies

• Updated Client Tray Icon: We improved how the Client’s tray icon indicates a connected or disconnected status

• New Indication of System Notification Status: On the Settings page, we added the status of System Notifications and improved the messaging to highlight their importance

• Bug fixes and stability improvements

As a result of these limitations, we do not recommend installing macOS Sequoia (version 15) on devices running Client version 5.7 and lower.

• On macOS Sequoia (version 15), on the Settings page of the Client, if you click Download logs, the logs are not downloaded

• On macOS Sequoia (version 15), after connecting and minimizing the Client, it cannot be opened

• On devices running macOS Sonoma (v14), start minimized is not supported. If Always-On is enabled the Client opens after the device boots.

• If you downgrade the Client to v5.3, it may become unresponsive. To resolve this issue, restart the Client from the Application folder or Launchpad.

• If you downgrade the Client to v5.3, users other than the last connected user are removed

• With Always-On enabled, after a device wakes up or connects to a network, if Zoom is installed on the device, the Zoom app may open a pop up with a connection error. To resolve this issue, restart Zoom.

• If you manually install the VPN Profile and have Device Certificate checks included in the Device Posture Profile, a pop up is displayed requesting the keychain password.

• If you upgrade the Client with an MDM, pop ups are sometimes displayed requesting permission to allow the installation of system extensions and the VPN configuration.

  To prevent this issue, you can first distribute the permissions for DMG extension and the VPN payload, then distribute the Clients to the macOS hosts.

• Connecting to Cato is only supported from within the Client.  Connecting from System Preferences > Network (or from macOS Ventura System Settings > VPN) on the device is not supported.

• After a device wakes up from sleep, the Client may accidentally show a message that the upgrade failed. No action is required, a few minutes after closing the message the Client automatically attempts to upgrade again.

• SDP users cannot disable office mode.

• When a macOS device enters sleep mode, the Cato Client may disconnect from the VPN after a few minutes of inactivity. This behavior affects background connectivity and may interrupt services that rely on persistent VPN access. 

  • This can impact apps, such as if the macOS device receives an incoming Microsoft Teams call while the device is in sleep mode and the Cato Client is disconnected. The Teams call may disconnect when the Client automatically reconnects to the network.

• This Client version uses the 85.255.31.1 IP address as part of the infrastructure to support Single Sign-On (SSO)

  • Make sure that this IP address is NOT blocked by any third-party anti-malware software

• For accounts that use Azure Conditional Access, please set the Browser Authentication to External Browser (Access > Client Access > Authentication) For more information about Browser Authentication, see Configuring the Authentication Policy for Cato Clients

• For macOS devices with the Symantec Web Security Service (WSS) agent installed, we do not currently support installing the WSS agent and the macOS Client on the same device

• Uploading a local split-tunnel file to the Client is not supported. You can use the global split-tunnel settings in the Cato Management Application

• For OneLogin SSO, we recommend that you use the internal in-Client browser. When Browser Authentication is set to External Browser, if the browser window or tab is closed, the end-user can't authenticate to OneLogin

• In some cases, this version might experience problems with these configurations:

  • Azure Conditional Access

  • Proxy configuration

  • For accounts that use a third-party proxy, make sure to whitelist the following items (for both HTTP and HTTPS):

    • IP address - 85.255.31.1

    • URL - sso.ias.catonetworks.com