Apple is expected to release macOS 27 Golden Gate in September 2026. Before upgrading your managed endpoints, there are a few things to check and prepare on your side. This post covers what you need to do before upgrading your managed endpoints to Golden Gate.

1. Check if your Endpoint Central Server supports macOS 27

If your Endpoint Central server is on build 11.5.2606.01 or above, you're already covered — no server-side changes are needed.
If you're on an older build, upgrade your server before allowing any endpoints to move to Golden Gate. Agents on build 11.5.2605.01 and below were built for Intel and relied on Rosetta to run on Apple Silicon Macs — when macOS 27 automatically uninstalls Rosetta, these agents will stop communicating with the server. The 2606 build ships a Universal agent that runs natively on Apple Silicon with no Rosetta dependency. Once you upgrade your server to 2606.01 or above, agents on managed Macs will automatically upgrade to the Universal build.
How to check if my agents are migrated to the desired build?
Navigate to Agent > Computers. You can see the Agent version for each agent.
If you cannot upgrade the server right now
As a temporary workaround, deploy the script below to affected Macs before upgrading them to macOS 27. This script install as a service, monitors Rosetta status, and automatically reinstalls Rosetta if it gets removed during the OS upgrade — keeping the existing agent operational.
Deploy via Endpoint Central's Custom Script configuration feature. (Deploy Immediately - Recommended)

2. Validate your server's network and security requirements
macOS 27 enforces stricter TLS requirements on all outbound connections from the Mac. For MDM profile delivery — including profile pushes and check-ins — your server must meet Apple's updated security requirements, or profiles will fail to deliver after devices upgrade to Golden Gate. For Endpoint Central agent communication, no additional changes are needed as long as your server OS supports TLS 1.2
Cloud customers: No action needed. The cloud environment already meets Apple's TLS requirements.
On-premises customers must verify that their Endpoint Central server meets all of the following:
TLS 1.2 or higher enabled (TLS 1.3 recommended)
HTTPS enabled for all server communication
Server certificate uses RSA 2048 or ECC 256 with SHA256 hashing
Only strong cipher suites configured (AES 128 / AES 256 with ECDHE/RSA)
Use the validation guide below to test your server before upgrading. It covers two methods — one using a Mac with the nscurl command, and another using an iOS/iPadOS device with sysdiagnose logs. You can also refer to Apple's release notes for the underlying requirements:
Validation Guide: How to validate your server for Apple OS 27 MDM security requirements
Note: Endpoint Central supports TLS 1.2 out of the box. However, if your server is running on Windows Server 2012 or earlier, TLS 1.2 may not be enabled at the OS level. Verify this before upgrading your endpoints to Golden Gate.3. Defer the macOS 27 upgrade until you're ready