Preparing to Install the Cato Client

The Cato Client is proprietary software that extends Cato's network and security capabilities to remote users in any location. This article lists the prerequisites and explains how to install the Client.

Overview

The Cato Client can identify and authenticate users, enforce your network rules, and inspect remote traffic based on security policies. To ensure your users benefit from these features, the Cato Client must be installed on their device. Before you install the Client on any device, ensure that the prerequisites are met and the required processes and URLs are added to the allowlists of your security software. You can then download the Client and install it on an individual device or distribute it with an MDM.

After you install the Client on a device, you can configure features and policies to meet your requirements. Users can authenticate and securely connect to your network. For more information on the Client Connection process, see Understanding the Cato Client Connection Flow.

Prerequisites for Installing the Cato Client

Before the Client is installed on a device, ensure the following prerequisites are met:

Install the Client on a device running a supported operating system.
IP routing should be disabled before installing the Cato Client and enabled after the installation completes.
The Cato CA certificate is installed on the device or computer
- For Windows Clients, the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers
  
  You can manually install the Cato certificate for other browsers (such as Firefox), or use an MDM to install it with the browser, see Installing the Cato Certificate on Windows Devices
- For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain
  
  Otherwise, the SDP user manually installs the Cato certificate. For more information, see Installing the Cato Certificate on macOS Devices.
- For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client. For more information, see Installing the Cato Certificate on iOS Devices or Installing the Cato Certificate on Android Devices.
- The Cato certificate and Client installation files can be downloaded from:
  - The Client download portal in CER format
  - The Security > Certificate Management page in PEM and DER format
Internet browser requirements:
- Use an Internet browser that supports SSL (such as Chrome or Edge)
- For external authentication, make sure that a default browser is configured in the device OS settings
A PPPoE connection is not used. PPPoE is not supported
For iOS, Android, and Linux Clients, we recommend that you disable IPv6 on all physical adapters
- IPv6 is supported for Last Mile Connections on Windows Client v5.11 and higher and macOS Client v5.7 and higher
Make sure that the IP addresses for PoPs in the Cato Cloud are allowlisted on any firewalls or similar devices

For a list of the PoP IP ranges, see: Production PoP Guide
The Client uses cipher suites to establish a DTLS handshake with the Cato Cloud. Ensure the device uses one of the cipher suites that Cato supports.
On Windows devices, IP forwarding is disabled. For more information, see IP Routing Prevents Windows Client Authentication
On macOS devices:
- Full Disk Access permission
- No other enterprise VPN is running on the device
If Bandwidth Management is used in your account, we recommend that you give the IP address 10.254.254.1 at least the same priority as any other address you have added
To receive user notifications, notifications must be enabled on the device. For more information, see Creating the Data Control Policy and Managing the Application Control Policy
Review the Known Limitations of the Client version. For more information, see Summary of Cato Client Releases

Allowlisting Processes and URLs for the Cato Client

For more information about processes and URLs to allowlist for all security endpoint software and solutions, see Allowlisting Processes and URLs for the Cato Client.

Minimum Supported Device Operating Systems

The following sections show the operating systems on which you install the Cato Client.

Note

Notes:

Any Client version that is not listed as supported is considered End of Support
The Client does not support operating systems that vendors have declared EoL (End of Life).
Android EoL is based on the date from which Google no longer provides security updates or patches for a version.

Microsoft Windows

The following table shows which Microsoft Windows versions support which versions of the Cato Client. For instructions on installing the Cato Client for Windows, see Installing the Windows Client.

Operating System	Minimum Supported Client Version
Windows 11	v5.11 and higher
Windows 10 32-bit Windows 10 64-bit	v5.11 and higher
Windows 8.1 32-bit Windows 8.1 64-bit	v5.11 and higher
Windows Server 2016 Windows Server 2019 Windows Server 2022	v5.10 and higher

macOS

The following table shows which macOS versions support which versions of the Cato Client. For instructions on installing the Cato Client for macOS, see Installing the macOS Client.

Operating System	Cato Client Version
macOS Tahoe (version 26)	v5.10.4 and higher
macOS Sequoia (version 15)	v5.8 and higher
macOS (Ventura) software version 13.3	v5.9 and higher
macOS (Monterey) software version 12	v5.7 and v5.8
macOS (Big Sur) software version 11	v5.6

iOS and iPadOS

The following table shows which iOS versions support which versions of the Cato Client. For instructions on installing the Cato Client for iOS, see Installing the iOS and Android Clients.

Operating System	Cato Client Version
iOS 16.0 and higher	v5.2 and higher
iPadOS 15.0 and higher	v5.2 and higher

Android and Chromebook

The following table shows which Android and Chromebook versions support which versions of the Cato Client. For instructions on installing the Cato Client for iOS, see Installing the iOS and Android Clients.

Operating System	Cato Client Version
Android version 8.1 and higher	v5.2 and higher
Chromebook (all versions)	v5.2 and higher

Linux

The following table shows which Linux flavors and versions support which versions of the Cato Client. For instructions on installing the Cato Client for Linux, see Installing the Linux Client.

Linux Clients are supported for 64-bit OS (X86_64)

Operating System	Cato Client Version
Ubuntu v18 and higher (There is a different Client for each Ubuntu OS version)	v5.2 and higher
CentOS v9 and higher	v5.2 and higher
Fedora v36 and higher	v5.2 and higher
Debian v11 and higher	v5.2 and higher
Mint v20.3 and higher	v5.2 and higher
RHEL v8.0 and higher	v5.2 and higher
Any systems running glibc 2.31 and higher	v5.2 and higher

Understanding the Next Steps After Installing the Client

Once the Client is installed on a device, you can configure features and policies to meet your secure remote access requirements. The Client enforces the features configured in the Cato Management Application. This lets you simply manage and enforce your requirements and ensure the protection of your network.

Understanding Key Client Features and Policies

Here are some key features we recommend you enable. For more information about all the Client features, see the Access documentation.

User Awareness: Identify the user signed into the device at any point in time to control user access, and monitor user activity
Client Connectivity Policy: To check the posture of devices before they connect to the network
Always-On Policy: To ensure all traffic always goes through the Cato Cloud and Cato security engines inspect the traffic to ensure it complies with your security policies

Analyzing Client Events

You view and analyze data from users connecting with the Client from the Remote User Dashboard.

14 comments

Yaakov Simon
- February 22, 2022 09:32
Added details for the allowlist requirements to install the Client
Yaakov Simon
- April 25, 2022 11:35
Removed incorrect limitation for connecting over PPPoE
Yaakov Simon
- June 19, 2022 13:36
Added limitation for Intel Killer wireless NIC for Windows Clients v4.7 and higher
Yaakov Simon
- July 14, 2022 19:14
Added Minimum Supported Device Operating Systems to this article
Sarah Schulefand
- September 18, 2022 14:14
Added minimum supported device OS for Android Client (v5.0 and higher)
Yaakov Simon
- October 31, 2022 14:41
Added information about the Cato certificate automatically installed for Windows and macOS Clients
Yaakov Simon
- January 31, 2023 14:24
For Windows v5.6, added Automatically Launching Windows SDP Client after Initial Installation (v5.6 and Higher)
Michael Goldberg
- Edited February 08, 2023 13:01
Updated after end of life for Windows and macOS Clients earlier than v5.0
Aiman Almesbahi
- March 28, 2024 16:14
how to install a cato certificate for wifi guests? is there an automatic way?
Dan Pride
- July 24, 2024 20:25
Is there a method to auto connect the client after install? I see you can run the program after install, but you still need to hit the connect button manually.
Michael Goldberg
- July 25, 2024 12:15
Hi Dan Pride,
Yes there is - with the Always-On policy you can define rules for when users or User groups always connect with the Client to the Cato Cloud. Depending on your use case, you can also auto connect the Client to provide users with secured remote Internet access after one time authentication.
Yaron Libman
- May 20, 2025 12:37
Added the URL https://network-segmentation.catonetworks.com/ to Allowlisting Processes and URLs for the Cato Client under All Devices
Yaron Libman
- June 04, 2025 06:55
Added the URL http://www.appleiphonecell.com/ to Allowlisting Processes and URLs for the Cato Client under All Devices
Yaron Libman
- October 12, 2025 10:56
Added the URL https://clients.cdn.catonetworks.com/ to Allowlisting Processes and URLs for the Cato Client under All Devices