Cato Networks Knowledge Base

Summary of Cato macOS Client Releases

  • Updated

This article summarizes features, enhancements, bug fixes, and known limitations of macOS Clients from version 5.4 to 5.0. 

Admins and SDP users can easily download the Client from the Client download portal without requiring authentication.

For more information about the requirements to implement Cato's remote access in your organization, see Installing the Cato Client.

macOS Client v5.4

We are starting the gradual rollout of macOS Client v5.4 starting the week of July 23rd, 2023. These are the features and enhancements for this version:

  • New Device Posture Check for Device Certificates Provides Increased Security: You can now include a check for a device certificate within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies. This check:

    • Improves Device Authentication by ensuring the SDP users or user groups in the rulebased policy have the required certificate before connecting to your network

    • Lets you define stricter Device Posture requirements in your Firewall policies to access corporate resources

  • Always-On Now Supports Temporarily Bypassing the Cato Network: SDP users with Always-On can temporarily bypass Cato security and access the Internet by entering a bypass code in the macOS Client (the same experience as bypass code for the Windows Client)

  • Enhanced Client PoP Selection: We improved the PoP selection process to better consider multiple factors including geography and availability. The Client now more accurately selects the best PoP to connect to.

  • End of Life for macOS Catalina: Following Apple's announcement that Catalina (version 10.15) is declared end of life, the macOS Client no longer supports this version

  • Bug fixes:

    • Improved reconnect after a device wakes up from sleep mode with Always On

    • Re-authentication with external browser opens single browser tab

    • Improved Client connectivity when downloading or transferring large files

    • SDP users can disable office mode

  • For known limitations for this version, see details below.

macOS Client v5.3

The rollout for the gradual upgrade for macOS Client version 5.3 started on February 19th, 2022, and includes:

  • Improved upgrade experience: SDP users are no longer required authenticate to the macOS during the upgrade

  • Automated certificate distribution: Admins no longer need to manually distribute the Cato certificate for TLS Inspection, the Client automatically installs it on the macOS device (similar to the Windows Client)

  • Performance improvements for macOS devices with the native Apple CPU chips

macOS Client v5.2

The rollout for the gradual upgrade for macOS Client version 5.2 started on November 13th, 2022, and includes:

  • Enhanced Reauthentication Experience: A notification lets users know that the SSO or MFA session will soon expire, and allows them to seamlessly reauthenticate. Read more.

  • Status Bar Icon: Users can easily connect, disconnect, quit, and open the Client right from the status bar of macOS devices.

  • Security fixes and enhancements

  • Resiliency enhancements

  • For SDP users upgrading from v5.x to v5.2, a macOS limitation requires rebooting the device after upgrading the Client to v5.2

macOS Client v5.1

macOS Client version 5.1 was uploaded to the User Portal on July 25th, 2022, and includes:

  • For Single Sign-On (SSO) - Using the external browser to authenticate with the IdP. Read more.

  • Enhancements:

    • Improved overall stability and connectivity to the Cato Cloud

    • Enriched user notifications

    • Improved connectivity when switching networks

  • Bug Fixes:

    • Resolved bugs in the SSO authentication flow

  • For known limitations for this version, see details below.

macOS Client v5.0

macOS Client version 5.0 was uploaded to the User Portal on March 21st, 2022, and includes:

  • SDP Users Can Enjoy SSO Simplicity and with Security of Always-On: Cato Clients now support the ability to authenticate with Single Sign-On (SSO) and at same time the Client Access Connectivity policy is set to Always-On. Read more.

    • You can configure SSO and Always-On for the entire account or for specific SDP users

  • Improved SDP User Experience with Browser Authentication: We updated the Authentication (Access > Client Access > Authentication) screen so you can select the Browser Authentication experience for your Client users and use the in-Client browser or the external default OS browser. Read more.

  • Initial installation of v5.0 requires that you deploy it on all the macOS devices, available either with a PKG file or using an MDM.

    • macOS Client Version 4.5 is only available from the App Store (if it’s necessary to rollback to this version, install from the App Store)

  • Supports Managed Upgrades with an MDM.

  • Enhancements:

    • The capability for SDP users to directly download the macOS Client PKG file for version 5.0 from a new portal

  • For known limitations for this version, see details below.


Known Limitations for macOS Client v5.4

This section lists known limitations that apply to all the macOS Clients version 5.4 and higher.

  • If you downgrade the Client to v5.3, it may become unresponsive. To resolve this issue, restart the Client from the Application folder or Launchpad

  • If you downgrade the Client to v5.3, users other than the last connected user are removed
  • With Always-On enabled, after a device wakes up or connects to a network, if Zoom is installed on the device, the Zoom app may open a pop up with a connection error. To resolve this issue, restart Zoom

  • If you manually install the VPN Profile and have Device Certificate checks included in the Device Posture Profile, a pop up is displayed requesting the keychain password

  • If you upgrade the Client with an MDM, pop ups are sometimes displayed requesting permission to allow the installation of system extensions and the VPN configuration

  • If you upgrade the Client manually, pop ups are sometimes displayed requesting permission to install the Client
    To prevent this issue, you can first distribute the permissions for DMG extension and the VPN payload, then distribute the Clients to the macOS hosts

  • Connecting to Cato is only supported from within the Client.  Connecting from System Preferences > Network (or from macOS Ventura System Settings > VPN) on the device is not supported 

  • If an Anti-Malware Device Check with real time protection enabled is configured to check for the following vendors and products, the Device Check fails and the Client is unable to connect to the Network. To continue to check for these Anti-Malware vendors and products, disable real time protection.
      • AVG AntiVirus
      • Apex One (Mac) Security Agent
      • Avast Business Antivirus
      • Avast Mac Security
      • Comodo Antivirus for Mac
      • Cortex XDR
      • CrowdStrike Falcon
      • ESET Cyber Security Pro, Cyber Security, Endpoint Antivirus, NOD32 Antivirus
      • MacKeeper
      • Sentinel Agent
      • System Center Endpoint Protection for Mac
      • Traps
      • Trend Micro Security, Deep Security Agent, Internet Security, VirusBuster

Known Limitations for macOS Client v5.3

This section lists known limitations that apply to all the macOS Clients version 5.3 and higher.

  • After a device wakes up from sleep, the Client may accidentally show a message that the upgrade failed. No action is required, a few minutes after closing the message the Client automatically attempts to upgrade again.
    This issue is resolved in version 5.4.

  • SDP users cannot disable office mode.
    This issue is resolved in version 5.4.

Known Limitations for macOS Client v5.0 and Higher

This section lists known limitations that apply to all the macOS Clients version 5.0 and higher.

  • This Client version uses the IP address as part of the infrastructure to support Single Sign-On (SSO)

    • Make sure that this IP address is NOT blocked by any third-party anti-malware software

  • For accounts that use Azure Conditional Access, please set the Browser Authentication to External Browser (Access > Client Access > Authentication) For more information about Browser Authentication, see Configuring the Authentication Policy for Cato Clients

  • For macOS devices with the Symantec Web Security Service (WSS) agent installed, we do not currently support installing the WSS agent and the macOS Client on the same device

  • Uploading a local split-tunnel file to the Client is not supported. You can use the global split-tunnel settings in the Cato Management Application

  • For OneLogin SSO, we recommend that you use the internal in-Client browser. When Browser Authentication is set to External Browser, if the browser window or tab is closed, the end-user can't authenticate to OneLogin

  • In some cases, this version might experience problems with these configurations:

    • Azure Conditional Access

    • Proxy configuration

    • For accounts that use a third-party proxy, make sure to whitelist the following items (for both HTTP and HTTPS):

      • IP address -

      • URL -

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.