Summary of Cato macOS Client Releases

This article summarizes features, enhancements, and bug fixes of macOS Clients.

In addition, it also lists the known limitations.

Admins and users can easily download the Client from the Client download portal without requiring authentication.

For more information about the requirements to implement Cato's remote access in your organization, see Installing the Cato Client.

macOS Client v5.7

From July 14, 2024, we are starting the rollout of macOS Client version 5.7. This version contains:

  • IPv6 Support for Last Mile Connection: Users can connect remotely over ISPs that provide last-mile IPv6-only connections. Both IPv6 and IPv4 connections are now supported.

  • User Notifications for CASB and DLP: The device displays a notification to the user when their activity is blocked by App Control or Data Control rules. This educates the user about which app was blocked and why.

  • End User Feedback: To help us continually improve our remote access, users can now provide feedback to Cato from within the Client.

    • Every few months, users are prompted to give a rating and comments

    • Users can also manually provide feedback at any time

  • End of Support for Big Sur: Devices running Big Sur (macOS 11) are no longer supported by the macOS Client

  • New Cato Root Certificate: We added a new root certificate that is automatically installed on the device with the Cato Client.

    • The new certificate is called Cato Networks Root CA and expires in March 2034.

    • The previous certificate is from 2015 and is called Cato Networks CA. It will expire in Oct 2025.

  • Bug fix:

    • If a login attempt failed, in some cases users were unable to connect to the network

macOS Client v5.6

The gradual rollout of macOS Client version 5.6 started on the week of Apr. 15th, 2024. This version contains:

  • Device Posture Check for Disk Encryption: You can now include a check for Disk Encryption within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and Security policies

  • Updated Client Tray Icon: We improved how the Client’s tray icon indicates a connected or disconnected status

  • New Indication of System Notification Status: On the Settings page, we added the status of System Notifications and improved the messaging to highlight their importance

  • Bug fixes and stability improvements

macOS Client v5.5

The gradual rollout of macOS Client version 5.5 started on the week of Jan. 8th, 2024. This version contains:

  • Always-On Enhancements: We are introducing new features that ensure Always-On can be used while maintaining business continuity:

    • New Bypass Mode for Always-On: Users can temporarily access the Internet without waiting for admin approval. Users provide a reason in the Client and Always-On can be temporarily bypassed and the Client can disconnect

    • Always-On Recovery Mode: Users can access the Internet if a connection to the Cato Cloud is unavailable. For example, if a Captive Portal prevents the Client connecting to Cato Cloud, users can still access the Internet, bypassing Cato security

  • Improvements to Device Posture Checks: The new version supports a new device posture check and enhances the Anti-Malware check:

    • New DLP Device Posture Check: You can now include a check for DLP within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies

    • Real Time Protection for Anti-Malware Device Check: Connected devices are continuously verified to ensure they meet the requirements of the Anti-Malware Device Check

  • Support for macOS Sonoma: The Client now supports macOS Sonoma (macOS 14)

  • Stability Improvements: The new Client version provides users with increased network stability. Key improvements include:

    • Resiliency during network changes

    • Authentication after device wakes up

    • Optimizing time-to-connect

macOS Client v5.4.2

On Oct. 8th, 2023, we are starting the rollout for macOS Client version 5.4.3. This version contains:

  • Device Posture Check Improves Security Posture: You can now include a check for DLP within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies.

  • Stability fixes and security enhancements including:

    • Resolved issue that caused the device certificate check to fail after upgrading from version 5.3 to 5.4

    • Resolved issue that caused the Client to be unresponsive after collecting logs if the device clock was not configured to 24 hours format

    • Hardened the Client upgrade mechanism to protect the upgrade components

macOS Client v5.4

Starting on June 14, 2023, we started the rollout for the gradual upgrade for macOS Client version v5.4. There is a delay to the date previously announced. These are the features and enhancements for this version:

  • New Device Posture Check for Device Certificates Provides Increased Security: You can now include a check for a device certificate within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies. This check:

    • Improves Device Authentication by ensuring the SDP users or user groups in the rulebased policy have the required certificate before connecting to your network

    • Lets you define stricter Device Posture requirements in your Firewall policies to access corporate resources

  • Always-On Now Supports Temporarily Bypassing the Cato Network: SDP users with Always-On can temporarily bypass Cato security and access the Internet by entering a bypass code in the macOS Client (the same experience as bypass code for the Windows Client).

  • End of Life for macOS Catalina: Following Apple's announcement that Catalina (version 10.15) is declared end of life, the macOS Client no longer supports this version

  • Bug fixes:

    • Improved reconnect after a device wakes up from sleep mode with Always On

    • Re-authentication with external browser opens single browser tab

    • Improved Client connectivity when downloading or transferring large files

    • SDP users can disable office mode

macOS Client v5.3

The rollout for the gradual upgrade for macOS Client version 5.3 started on February 19th, 2022, and includes:

  • Improved upgrade experience: SDP users are no longer required authenticate to the macOS during the upgrade

  • Automated certificate distribution: Admins no longer need to manually distribute the Cato certificate for TLS Inspection, the Client automatically installs it on the macOS device (similar to the Windows Client)

  • Performance improvements for macOS devices with the native Apple CPU chips

macOS Client v5.2

The rollout for the gradual upgrade for macOS Client version 5.2 started on November 13th, 2022, and includes:

  • Enhanced Reauthentication Experience: A notification lets users know that the SSO or MFA session will soon expire, and allows them to seamlessly reauthenticate. Read more.

  • Status Bar Icon: Users can easily connect, disconnect, quit, and open the Client right from the status bar of macOS devices.

  • Security fixes and enhancements

  • Resiliency enhancements

  • For SDP users upgrading from v5.x to v5.2, a macOS limitation requires rebooting the device after upgrading the Client to v5.2

macOS Client v5.1

macOS Client version 5.1 was uploaded to the User Portal on July 25th, 2022, and includes:

  • For Single Sign-On (SSO) - Using the external browser to authenticate with the IdP. Read more.

  • Enhancements:

    • Improved overall stability and connectivity to the Cato Cloud

    • Enriched user notifications

    • Improved connectivity when switching networks

  • Bug Fixes:

    • Resolved bugs in the SSO authentication flow

  • For known limitations for this version, see details below.

macOS Client v5.0

macOS Client version 5.0 was uploaded to the User Portal on March 21st, 2022, and includes:

  • SDP Users Can Enjoy SSO Simplicity and with Security of Always-On: Cato Clients now support the ability to authenticate with Single Sign-On (SSO) and at same time the Client Access Connectivity policy is set to Always-On. Read more.

    • You can configure SSO and Always-On for the entire account or for specific SDP users

  • Improved SDP User Experience with Browser Authentication: We updated the Authentication (Access > Client Access > Authentication) screen so you can select the Browser Authentication experience for your Client users and use the in-Client browser or the external default OS browser. Read more.

  • Initial installation of v5.0 requires that you deploy it on all the macOS devices, available either with a PKG file or using an MDM.

    • macOS Client Version 4.5 is only available from the App Store (if it’s necessary to rollback to this version, install from the App Store)

  • Supports Managed Upgrades with an MDM.

  • Enhancements:

    • The capability for SDP users to directly download the macOS Client PKG file for version 5.0 from a new portal

  • For known limitations for this version, see details below.

Known Limitations for macOS Client 5.4

This section lists known limitations that apply to all the macOS Clients version 5.4 and higher.

  • If you downgrade the Client to v5.3, it may become unresponsive. To resolve this issue, restart the Client from the Application folder or Launchpad.

  • If you downgrade the Client to v5.3, users other than the last connected user are removed

  • With Always-On enabled, after a device wakes up or connects to a network, if Zoom is installed on the device, the Zoom app may open a pop up with a connection error. To resolve this issue, restart Zoom.

  • If you manually install the VPN Profile and have Device Certificate checks included in the Device Posture Profile, a pop up is displayed requesting the keychain password.

  • If you upgrade the Client with an MDM, pop ups are sometimes displayed requesting permission to allow the installation of system extensions and the VPN configuration.

    To prevent this issue, you can first distribute the permissions for DMG extension and the VPN payload, then distribute the Clients to the macOS hosts.

  • Connecting to Cato is only supported from within the Client.  Connecting from System Preferences > Network (or from macOS Ventura System Settings > VPN) on the device is not supported.

Known Limitations for macOS Client v5.5

This section lists known limitations that apply to all the macOS Clients version 5.5 and higher.

  • On devices running macOS Sonoma (v14), start minimized is not supported. If Always-On is enabled the Client opens after the device boots.

Known Limitations for macOS Client v5.3

This section lists known limitations that apply to all the macOS Clients version 5.3 and higher.

  • After a device wakes up from sleep, the Client may accidentally show a message that the upgrade failed. No action is required, a few minutes after closing the message the Client automatically attempts to upgrade again.

  • SDP users cannot disable office mode.

Known Limitations for macOS Client v5.0 and Higher

This section lists known limitations that apply to all the macOS Clients version 5.0 and higher.

  • This Client version uses the 85.255.31.1 IP address as part of the infrastructure to support Single Sign-On (SSO)

    • Make sure that this IP address is NOT blocked by any third-party anti-malware software

  • For accounts that use Azure Conditional Access, please set the Browser Authentication to External Browser (Access > Client Access > Authentication) For more information about Browser Authentication, see Configuring the Authentication Policy for Cato Clients

  • For macOS devices with the Symantec Web Security Service (WSS) agent installed, we do not currently support installing the WSS agent and the macOS Client on the same device

  • Uploading a local split-tunnel file to the Client is not supported. You can use the global split-tunnel settings in the Cato Management Application

  • For OneLogin SSO, we recommend that you use the internal in-Client browser. When Browser Authentication is set to External Browser, if the browser window or tab is closed, the end-user can't authenticate to OneLogin

  • In some cases, this version might experience problems with these configurations:

    • Azure Conditional Access

    • Proxy configuration

    • For accounts that use a third-party proxy, make sure to whitelist the following items (for both HTTP and HTTPS):

      • IP address - 85.255.31.1

      • URL - sso.ias.catonetworks.com

Was this article helpful?

0 out of 0 found this helpful

1 comment

  • Comment author
    Yaakov Simon

    Updated macOS Client v5.7 to include new Cato root certificate

Add your comment