The following changes were made to Apple's TLS requirements:
Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
Removes trust from certificates that use RSA key sizes smaller than 2048 across all TLS connections.
Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.
Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.
Note: If the SSL/TLS Service Profile for the GlobalProtect Portal and Gateway support a maximum TLS version of 1.1, then either an iOS 11 nor a Mac OS X 10.13 system will succeed in establishing a connection. Once the configuration is committed with the maximum version set to 1.2 or to "max:, then the GlobalProtect agent will succeed.
Excerpt from Apple's article discussing this:
Changes coming with iOS 11
Security
iOS 11, tvOS 11, and macOS High Sierra include the following changes to TLS connections:
Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.
Changes coming with macOS High Sierra
Security
macOS High Sierra, tvOS 11, and iOS 11 include the following changes to TLS connections:
Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.
Note: For the updated requirements regarding Apple's TLS requirements beginning in iOS 13 and macOS 10.15, please refer to the following external link: