[enhancement]: Add support for macOS 26.x (Tahoe) on Azure Pipelines self-hosted agents #5434
Description
Describe your feature request here
Description
Our organization’s information security policy requires all Macs (developer workstations and build agents) to run macOS 26.x (Tahoe). Apple has publicly released macOS Tahoe 26.2 (Dec 2025) and documents it on Apple Support. However, Azure Pipelines 4.x agent documentation lists support only up to macOS 15 (Sequoia), and our agents on Tahoe consistently hang during job execution with the “We stopped hearing from agent” error even though they appear online.
Apple: “How to upgrade to macOS Tahoe 26” (Published Dec 5, 2025) and “macOS Tahoe 26.2 Update Released” (Dec 12, 2025) confirm Tahoe 26.x is GA.
Sources: Apple Support; OS X Daily coverage.
https://support.apple.com/en-us/122727
https://osxdaily.com/2025/12/12/macos-tahoe-26-2-update-released-for-mac/
Azure DevOps agent docs list supported macOS as 13/14/15 (Ventura/Sonoma/Sequoia), with no mention of 26/Tahoe.
Sources: Microsoft Learn (macOS agent), Agent v4 support matrix.
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/osx-agent?view=azure-devops
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v4-agent?view=azure-devops
Business impact
Compliance: We must run the latest macOS per policy; downgrading to 15.x is not permitted.
Toolchain: We are migrating to .NET 10 and the latest Xcode; these are aligned with Tahoe and not guaranteed on older macOS images.
Availability: Self-hosted agents on Tahoe show “online” but jobs hang/abandon, causing significant build delays and failed releases.
Workarounds: Microsoft-hosted macOS (Sonoma/Sequoia) agents are a temporary stopgap but don’t meet our self-hosted requirements (local caches, custom signing, entitlements).
Technical details
Agent version: v4.266.2 (ARM64)
Machine: Apple Silicon (Mac mini)
OS: ProductVersion: 26.2 / BuildVersion: 25C56
Kernel: Darwin 25.2.0 … RELEASE_ARM64_T6020
Symptoms: Agent appears online; after a job is dispatched, it stalls at Initialize job and eventually errors with:
##[error]We stopped hearing from agent .
Verify the agent machine is running and has a healthy network connection…
Logs: Listener acquires OAuth token successfully after initial 401 challenge; feature flag calls return 200. Stalls appear when transitioning to worker/session stage (heartbeat likely impacted or worker startup fails).
Requested work
Add official support for macOS 26.x (Tahoe) in Azure Pipelines self-hosted agents:
Validate agent listener/worker on Darwin 25.x.
Verify TLS/Keychain interactions and heartbeat timing on Tahoe.
Confirm compatibility with latest Xcode and .NET 10 workloads commonly used in CI.
Publish timeline & documentation:
Update Microsoft Learn pages to include macOS 26.x in supported OS lists (both agent setup and 4.x agent matrix).
Provide any required knobs or configuration changes (e.g., sandboxing allowances, launchd service guidelines).
Pre-release build (if feasible):
Provide a pre‑release agent package tagged for Tahoe so early adopters can validate while formal support is being finalized.
Why this matters (industry context)
Apple’s Tahoe 26.x is the mainstream, security‑patched macOS as of Dec 2025; many enterprises require the latest OS for compliance and SOC hardening.
Sources: Apple Support; OS X Daily release coverage.
https://support.apple.com/en-us/122727
https://osxdaily.com/2025/12/12/macos-tahoe-26-2-update-released-for-mac/
Current Azure DevOps agent docs cap support at macOS 15, creating a compliance gap and operational friction for customers on Tahoe.
Sources: Microsoft Learn.
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/osx-agent?view=azure-devops
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v4-agent?view=azure-devops
Attachments (available upon request)
diag/Agent.log and diag/Worker.log around job abandonment
Network diagnostic output (curl to dev.azure.com and vssps.dev.azure.com)
Minimal pipeline YAML used to isolate heartbeat vs. worker startup