ACME

Hi, We are testing the ACMECertificate payload and noticed that in the device's configuration, the key size is displayed as 0. Thanks in advance.

Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: <?xml version=1.0 encoding=UTF-8?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version=1.0> <dict> <key>PayloadContent</key> <array> <dict> <key>ClientIdentifier</key> <string>123123123123123123123</string> <key>ExtendedKeyUsage</key> <array> <string>1.3.6.1.5.5.7.3.2</string&

Can the new ACME payload work on macOS 13 seed builds as well ? Is there anything that stops a ACME payload for macOS ? This will be an awesome support for Macs in the enterprises with DEP/MDM.

I'm curious about suggested workflows for a 3rd party ACME server handling a request for a managed device. Specifically, when the MDM server does not control the ACME server like it likely would when using the ACME payload for the MDM client identity. i.e., an organization with a CA that can distribute client identities using ACME; how should ACME servers validate the request is authorized? The server, of course, would be able to validate that the attestation is valid from Apple, but how would an ACME server validate that the request is authorized for a device? I would assume that the ACME server would use the ClientIdentifier key similarly to a SCEP challenge. And that identifier should be populated in MDM either as a static challenge or dynamically fetched by MDM from the ACME service? Or possibly that the ACME service would need a connection (i.e., through a restful API) to the MDM server to validate it is a device under manag

I often get questions about disabling the HTTPS default server trust evaluation done by NSURLSession. My general advice is “Don’t do that!” However, there is one case where you have to do that, namely when dealing with a hardware accessory on the local network. This post contains my advice on how to deal with that situation. IMPORTANT If you found your way here and you’re not developing a network-based accessory, I have two suggestions for you: If you’re trying to override HTTPS server trust evaluation for testing purposes, see QA1948 HTTPS and Test Servers. If not, post a question here on DevForums and we’ll try to get you heading in the right direction. Tag it with Security, and either CFNetwork or Network depending on which API you’re using. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com TLS For Accessory Developers Communicating securely with a network-based accessory is tricky because the standard network security protocol, TLS, was de

I have a Mac Mini 2018 which is not presenting the ABM prompt when I bring my iPhone 12 running Apple Configuration Manager near it. This machine (which has been in use for a few years) has been wiped and has a fresh install of Monterey 12.2 on it. Upon first boot after a fresh reinstall, it goes directly to the Select your Country or Region screen (it completely skips the language selection prompt for some reason). I launched ACM on my iPhone 12 and sat it atop the Mac Mini for several minutes, but nothing happened. Is there something I am doing wrong? In case it matters (and knowing my luck, it probably does), I do have the T2 Security Utility configured for Medium Security and Allow Booting from External Media as I will need to roll back this machine to Catalina after the 30-day grace period completes.

My understanding is that we are supposed to use the original transaction ID to link to a user, but that's not a one-to-one mapping. Let's say I work for ACME Inc and we offer an in-app subscription to content. A customer downloads our app. Inside the app, they create an ACME account (A). Then they purchase the subscription within the app. During verification and fulfillment, we save the user's ACME account ID and the original transaction ID from the Apple receipt. Great! At some point, the user cancels the subscription and doesn't use the service for some time. When they decide they want to use it again, they open the ACME app and can't remember their login for ACME account (A). So, instead of recovering the account, they create a new account (B). Then they purchase a subscription. We save the user's ACME account ID and the original transaction ID from the Apple receipt. The original transaction ID will be the same in both cases, but the ACME acco

I have a problem mounting an encrypted volume on Big Sur (11.1). In DiskUtility, when I select the volume, click Mount, enter password and click Unlock, nothing happens. I also tried to use CLI to unlock the volume using command: diskutil apfs unlockVolume /dev/disk1s6 but it gives me error: Passphrase: ACM: LibCall_ACMContextCreate: returning, err = -536870181. Error -536870181 (0xe00002db) creating ACM Context for passphrase I also tried to create a new encrypted volume with simple password '123', but after I unmounted it and tried to mount again I got the same error. Device: MacBook Pro (16-inch, 2019) Is it a bug in Big Sur or am I doing something wrong? Should I just wait for an update with a fix? I don't have an urgent need to decrypt the data because I have a backup. The question is about possibility of using encrypted volumes in macOS.