The WWDC23 video on deploying passkeys at Work (https://developer.apple.com/videos/play/wwdc2023/10263/?time=633) talks about a Corporate CA Server signing the Identity Certificate for the passkey, which can be further used during registration with the relying party. Where can I find more information on what protocol and specification this Corporate CA should follow here ? Is this based on protocols such as SCEP/ ACME (or) something else ? Also, where I can find information on what verification this Corporate Server can follow before signing that Identity Cert?
Search results for
ACME
78 results found
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
The passkey attestation configuration is declared here. The identity (certificate + private key) that gets installed is specified via a Declarative Device Management (DDM) Asset reference. DDM supports multiple types of certificate configurations, including ACME and SCEP. This identity will chain back to an arbitrary certificate on the MDM server. As some examples, this could be a known root certificate managed by the MDM provider and trusted by the corporate CA, or an MDM-owned certificate that was itself provisioned by the corporate CA; the details of this certificate are up to you and your MDM provider. The only requirement for the identity installed on the device is that it supports the ES256 signing algorithm (COSE identifier -7). Everything else about the certificate and how it gets installed is up to you. The attestation you get back is a basic attestation in the packed format, signed by the identity provisioned through DDM. That link specifies the verification algorithm for the attestation. F
Topic:
Privacy & Security
SubTopic:
General
Tags:
I have an existing ScrollView view with a Picker. Upon selection of a picker value, and user pressing the details button, I want to append a view to the bottom of the existing view. I call detailsView. But it does not seem to work. @Environment(.managedObjectContext) private var viewContext @Environment(.dismiss) var dismiss @Environment(.presentationMode) var presentationMode @Binding var chosenProvider: Provider? @State var selectedLocation: Location? @State private var vendorNames: [String] = [] @State private var selectedVendor:String? = nil @State private var showingSheet = false @State var state: String? @State var zip: String? var body: some View { ScrollView { VStack { HStack { Text(Select Vendor) Picker(Provider, selection: $selectedVendor , content: { ForEach(vendorNames,id: .self, content: { name in Text(name) }) }) .pickerStyle(MenuPickerStyle()) .onTapGesture { self.getVendorNames() { providers, status in if (status) { vendorNames = providers } } } } .onChange(of: selectedVendor, perform: { newVa
Hello I'm seeing a 100% reproducible issue with macOS keychain when dealing with items protected with kSecAccessControlApplicationPassword. Creating, accessing the item works fine unless the user is running on macOS 12 (Monterey) and the system has been sleeping for at least 15 minutes (based on testing). I've seen the exact same behavior on an iMac and a Macbook (both running on the latest Monterey version). After sleeping for at least 15 minutes, trying to get an existing keychain item will fail with .errSecAuthFailed. From the Console I can see various messages like this: default 12:03:11.395081+0100 KeychainAppPasswordDemo LAContext[3506:10] created new cid:88 default 12:03:11.395231+0100 coreauthd setCredential:5621 type:0 on ContextProxy[398:287:387] rid:829 default 12:03:11.395261+0100 coreauthd Replacing ACM passphrase credential with purpose 0 on ACMContext 387 default 12:03:11.395395+0100 KeychainAppPasswordDemo setCredential:5621 type:0 on LAContext[3506:10] cid:89 returned success default
Oy. Going over the UI again... target | app-name | build phases | link binary with libraries - 2 of the 3 packages/modules were missing. After adding them I got a clean build and it runs again. But now I remember how I got here in the first place: the Swift UI preview won't run. I'm signed into my Apple.com account so I have no idea what to do now. == PREVIEW UPDATE ERROR: PotentialCrashError: Update failed RecipeBook may have crashed. Check ~/Library/Logs/DiagnosticReports for any crash logs from your application. ================================== | RemoteHumanReadableError | | LoadingError: failed to load library at path /Users/acm/Library/Containers/com.logipath.home.recipebook.RecipeBook/Data/Document.1.preview-thunk.dylib: Optional(dlopen(/Users/acm/Library/Containers/com.logipath.home.recipebook.RecipeBook/Data/Document.1.preview-thunk.dylib, 0x0002): tried: '/Users/acm/Library/Developer/Xcode/DerivedData/RecipeBook-bbtjcxbeoiafanbqznopflogglmf/Build/Intermediates.noindex/Pre
Topic:
Developer Tools & Services
SubTopic:
General
Tags:
Can the new ACME payload work on macOS 13 seed builds as well ? Is there anything that stops a ACME payload for macOS ? This will be an awesome support for Macs in the enterprises with DEP/MDM.
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Device Management
wwdc2022-10143
App Attest
In the macOS 13.1 beta (4) I was able to make it accept an ACME certificate profile. Unfortunately without hardware-bound keys nor attestation, so no Managed Device Attestation possible (yet). Hopefully that follows suit. Linking this issue here for visibility: https://developer.apple.com/forums/thread/719032
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Will it be supported (soon)? I'm also testing the ACME certificate payload. Not receiving the attestation payload in the ACME request significantly reduces the utility of the payload. E.g. there's no evidence the key is protected, no assurance this is a known Apple device, etc.
Topic:
Business & Education
SubTopic:
Device Management
Tags:
We are testing the ACMECertificate payload in Mac 13.1 beta and getting this error. The same payload when sent to iOS works fine. Any help on this would be appreciated. Thanks. FB Raised: FB11736586 PayloadVersion 1 PayloadUUID 70e4b45e3c1e PayloadType Configuration PayloadOrganization NewComp PayloadIdentifier 4565353a3a84 PayloadDisplayName ACME PayloadRemovalDisallowed PayloadContent PayloadVersion 1 PayloadUUID f84ef110e39b PayloadType com.apple.security.acme PayloadOrganization NewComp PayloadIdentifier f84ef110e39b PayloadDisplayName ACME Configuration DirectoryURL https://acmeserver/acme/acme/directory ClientIdentifier test HardwareBound KeyType ECSECPrimeRandom KeySize 384 Subject 1.2.840.113549.1.9.1 test@test.com SubjectAltName KeyUsage 5 Attest
@maraino Yes, we would be happy to collaborate on this. To summarize, the ACME profile only works i) if the device attestation is set to True. ii) if there's no Common Name present in the Subject of the CSR. We get this below error if we provide a CN. CSR names do not match identifiers exactly: CSR names = [test], Order names = [] We would like to understand how the Client Identifier will fit into this picture. Apologies for not getting back immediately. Thanks in advance.
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: <?xml version=1.0 encoding=UTF-8?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version=1.0> <dict> <key>PayloadContent</key> <array> <dict> <key>ClientIdentifier</key> <string>123123123123123123123</string> <key>ExtendedKeyUsage</key> <array> <string>1.3.6.1.5.5.7.3.2</string&
Topic:
Business & Education
SubTopic:
Device Management
Tags:
wwdc2022-10143
Device Management
App Attest
The step-ca demo server I was using didn't issue a Client Certificate if the Attest is set to false. Below ACME payload is verified to be working in iOS. PayloadVersion 1 PayloadUUID 70e4b45e3c1e PayloadType Configuration PayloadOrganization NewComp PayloadIdentifier 4565353a3a84 PayloadDisplayName ACME PayloadRemovalDisallowed PayloadContent PayloadVersion 1 PayloadUUID f84ef110e39b PayloadType com.apple.security.acme PayloadOrganization NewComp PayloadIdentifier f84ef110e39b PayloadDisplayName ACME Configuration DirectoryURL https://acmeserver/acme/acme/directory ClientIdentifier test HardwareBound KeyType ECSECPrimeRandom KeySize 384 Subject 1.2.840.113549.1.9.1 test@test.com SubjectAltName KeyUsage 5 Attest
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Hi @MDMiOSDev and @maaino. I'm trying to deploy profile listed above. The beta returns similar errors however public iOS16 version returns internal server error. I found in logs: Cannot obtain ACME certificate: __NSCFError: Desc : internal server error Domain : NSURLErrorDomain Code : 500 any ideas?
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Hi, We are testing the ACMECertificate payload and noticed that in the device's configuration, the key size is displayed as 0. Thanks in advance.
The ACME payload is not currently supported on macOS Ventura. It is supported on iOS and tvOS 16.
Topic:
Business & Education
SubTopic:
Device Management
Tags: