Hi,I am posting this in the hopes that it may save someone with a similar problem some time.A build was failing with the following error:Code Signing Error: Provisioning profile "FooBar" doesn't include signing certificate "iPhone Developer: foo bar (xxxxxxxxxxx)".The build was done on the command line with:xcodebuild OTHER_CODE_SIGN_FLAGS='--keychain /Users/me/Library/Keychains/Buildsystem' (and other parameters)Before each build we create the Buildsystem keychain and import the certificates needed fo the build into it. The keychain is then removed after the build.I could do the build locally and it would work, it was only on our build machine under jenkins that it failed.After spending a lot of time on this I found the cause was that there was another certificate in the builds machine's login keychain that was being used for the code signing even though we had provided a keychain with the correct certificate and told the codsigning to use it. After deleting the bad certificate from teh login keychain everything worked.So it looks like the -keychain has no effect or that codesigning searched the login keychain before the specified one.Is there anyway to change this behavior? The idea of using a special keychain for the build process was to avoid things like this.

I am trying to read the private key from certificate in the system keychain on the client to sign random data send by the server.Note that the certificates aren't distributed by me. Users will install the certificate(s) either by downloading them from the different servers or importing pkcs file.I am using below code.std::string osxPrivateKey::signData(const uint8_t* pData, uint32_t nDataSize, vector <uint8_t>& aSignature) { OSStatus nStatus; osxObject<SecTransformRef> signer; CFDataRef rawData = CFDataCreate(NULL, (const uint8_t*)pHash, nHashSize); CFErrorRef error; SecTransformRef signerRef = SecSignTransformCreate(m_privKey.get(), &error); signer.set(signerRef); if (error) { return false; } SecTransformSetAttribute(signer.get(), kSecTransformInputAttributeName, rawData, &error); SecTransformSetAttribute(signer.get(), kSecInputIsAttributeName , kSecInputIsPlainText, &error); //SecTransformSetAttribute(signer.get(), kSecPaddingKey, kSecPaddingPKCS1Key, &error); //SecTransformSetAttribute(signer.get(), kSecDigestTypeAttribute, kSecDigestSHA1, NULL); SecTransformSetAttribute(signer.get(), kSecDigestTypeAttribute, kSecDigestSHA2, NULL); int digestLength = 160; //if (type ==2) digestLength = 256; CFNumberRef dLen = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &digestLength); Boolean set = SecTransformSetAttribute(signer.get(), kSecDigestLengthAttribute, dLen, &error); CFRelease(dLen); if (error) { return false; } DSVERBOSE(Sardeep, "SecTransformExecute begin"); Boolean allowed; SecKeychainGetUserInteractionAllowed(&allowed); DSVERBOSE(Sardeep, "SecKeychainGetUserInteractionAllowed '%d'", allowed); SecKeychainSetUserInteractionAllowed(true); CFDataRef signature = (CFDataRef)SecTransformExecute(signer.get(), &error); if (error) { CFStringRef errorDesc = CFErrorCopyDescription(error); CFIndex length = CFStringGetLength(errorDesc); CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1; char *buffer = (char *)malloc(maxSize); CFStringGetCString(errorDesc, buffer, maxSize, kCFStringEncodingUTF8); DSERROR(facility, "SecTransformExecute error : '%s'", buffer); delete buffer; return false; } DSVERBOSE(Sardeep, "SecTransformExecute end"); m_signHashAlgo = HCCertUtils::SIGN_HASH_ALGO_SHA256; char* base64Signature = new char[1024]; unsigned char* rawSignature = new unsigned char[1024]; int size = CFDataGetLength(signature); CFDataGetBytes(signature, CFRangeMake(0,CFDataGetLength(signature)), (UInt8*)(rawSignature)); DSUtilEncodeBase64((const char*)rawSignature, size, base64Signature, 1023); base64Signature[1023] = '\0'; strBase64Signature.assign(base64Signature); DSERROR(facility, "challenge data is successfully signed."); delete []base64Signature; delete []rawSignature; return true; }This code runs as a part of daemon on the client. I have written a test application (not a daemon) using same code and when I execute test application it prompts me for username/password in order to access the keychain. Once I provide username/password everything works fine.But when I execute same code through daemon (client-server communication), it doesn't prompt for username/password. So is there any way or API to skip the password required since daemon runs as system user?Coming from windows background, service (daemon) on windows can access the private key.I have tried following options so far:impersonate to current user from daemon so that user gets the authorisation prompt. But no prompt for username/password. I am expecting prompt when SecTransformExecute is executed ( as in my test application). But it fails with error "Error Domain=Internal CSSM error Code=-2147415839 "Internal error #800108e1 at SignTransform_block_invoke".try to read Access Control List of the certificate and modify access for this certificate so that it doesn't prompt for password everytime my app tries for access.SecAccessRef secaccess; OSStatus ret = SecKeychainItemCopyAccess(pKeychain, &secaccess); SecKeychainItemCopyAccess fails with error -25243 (The specified item has no access control ). 3. manually add my app in the access control from the keychain access.Only 3rd option is working. But I can't expect clients to add it manually as there could be multiple certificates setup for client/server communiation.Any suggestions? Is what I am trying to do possible on MacOS? If yes, how can I achieve it?

We are sending one get API call request to fetch user profile data. As of now this request is working fine till iOS 11.2 version. We updated Xcode to 9.4.1 and ran application with iOS 11.3 but it fails with below error :Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be ““Server URL” which could put your confidential information at risk." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600000305e80>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, NSErrorPeerCertificateChainKey=( "<cert(0x7f8d6a1ce200) s: *“Server URL: GeoTrust SSL CA - G3>", "<cert(0x7f8d6a0dca00) s: GeoTrust SSL CA - G3 i: GeoTrust Global CA>"), NSUnderlyingError=0x608000657100 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600000305e80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7f8d6a1ce200) s: *API path: GeoTrust SSL CA - G3>", "<cert(0x7f8d6a0dca00) s: GeoTrust SSL CA - G3 i: GeoTrust Global CA>")}}, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “Server URL” which could put your confidential information at risk., NSErrorFailingURLKey=, NSErrorFailingURLStringKey="API path", NSErrorClientCertificateStateKey=0}Could anyone please help to resolve this issue ? Could not figure out why this request is failing iOS 11.3 onwards ?

I want to remove certificate from keychaine using:let removeKeyQuery: [String: Any] = [kSecClass as String: kSecClassKey, kSecAttrLabel as String: "serverCertificate"] let status = SecItemDelete(removeKeyQuery as CFDictionary)I get the error errSecItemNotFound.And when I try to save it using:let getquery: [String: Any] = [kSecClass as String: kSecClassCertificate, kSecAttrLabel as String: "serverCertificate", kSecReturnRef as String: kCFBooleanTrue] var item: CFTypeRef? let status = SecItemCopyMatching(getquery as CFDictionary, &item) guard status == errSecSuccess else { print("Certificate not found") return nil } let certificate = item as! SecCertificateI get errSecSuccess and i get the certificate.

Hai, I need to authenticate the users at login with my own logic like, For eg: calling an external authentication server and using OpenDirectory in case if the server is not reachable.I know that i need to create an authorization plugin like the apple's sample code (NullAuthPlugin,NameAndPassword) and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this. NameAndPassword sample suggests to use different UI(using SFAuthorizationPluginView) other than the "loginwindow:login" to customize the login. Can I able to achieve my requirement without replacing the loginwindow GUI ie the mechanism "loginwindow:login"?? ie, Can i able to achieve this by keeping the existing mac's login screen as such and obtain the credentials to perform my own authentication ?? If possbile where should i place my mechanism at 'system.login.console' ?I think of replacing the <string>builtin:authenticate,privileged</string> with my own plugin to achieve my requirement ? Is it OK to replace the buitin login mechanism ?Is my approach correct ? Can anyone help me to clarify regarding this ?

Recently I’ve had a couple of folks ping me about debugging reproducible -34018 errors when using the keychain. Pasted in below is my advice on that topic. If you have any feedback about this, or you are having this problem and can’t fix it using these instructions, please put the details in a new thread. Make sure to tag it with Security so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Change history: 11 Mar 2019 — First posted. 13 Mar 2019 — Added a clarification about query dictionaries. 23 Oct 2021 — Updated to fix the formatting and repair a broken link. Minor editorial changes. 23 Oct 2021 — Added the Change in Query Behaviour section. Troubleshooting -34018 Keychain Errors Learn how to resolve -34018 errors from the keychain. Error -34018 translates to errSecMissingEntitlement. This error means that your app is trying to use a keychain access group for which it does not have entitlements. See the Set Your App’s Access Groups section of Sharing Access to Keychain Items Among a Collection of Apps for information on how the system determines the list of keychain access groups that you have access to. Note On macOS, the advice in this post only applies if you’re using the data protection keychain. If you’re using the traditional file-based keychain, you should never see error -34018. There are two common scenarios for this error: Reproducible. The problem happens every time you run the code, typically during development but possibly in other contexts, like after submitting your app to TestFlight, or during enterprise deployment. Intermittent. The problems shows up very occasionally on user devices in the field but is otherwise hard to reproduce. If you’re seeing this problem intermittently, read the suggestions in Error -34018 errSecMissingEntitlement. In contrast, if the problem is reproducible, read the rest of this post for advice on how to debug it. Check Your Entitlements The first step in troubleshooting this problem is to check your app’s entitlements. To start, use the codesign tool to dump the entitlements: $ codesign -d --entitlements :- /path/to/your.app IMPORTANT Dump the entitlements of your built app, not the .entitlements file you see in your Xcode project. The .entitlements file is an important input to Xcode’s code signing machinery, but it is not what the system uses to determine your app’s entitlements. You should see something like this: $ codesign -d --entitlements :- TestKeychain.app … <plist version="1.0"> <dict> <key>com.apple.developer.team-identifier</key> <string>SKMME9E2Y8</string> <key>application-identifier</key> <string>SKMME9E2Y8.com.example.apple-samplecode.testkeychain.app</string> <key>keychain-access-groups</key> <array> <string>SKMME9E2Y8.example.apple-samplecode.testkeychain.app</string> <string>SKMME9E2Y8.example.apple-samplecode.testkeychain.shared</string> … </array> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.apple-samplecode.testkeychain</string> … </array> … </dict> </plist> In this output you’ll see the following: The com.apple.developer.team-identifier property is your Team ID. The application-identifier (com.apple.application-identifier on macOS) is your App ID, that is, your App ID prefix (in most cases this is your Team ID) followed by your bundle ID. keychain-access-groups, if present, starts with your App ID and then lists any other keychain access groups you use. com.apple.security.application-groups, if present, lists the shared app groups you use (this is only relevant on iOS-based platforms; shared app groups can’t be used as keychain access groups on macOS). As discussed in the Set Your App’s Access Groups section of Sharing Access to Keychain Items Among a Collection of Apps, the system uses the last three entitlements to form of list of keychain access groups that you’re app is entitled to use. Your keychain access group must appear in one of these entitlements. If it’s not there, read Technote 2415 Entitlements Troubleshooting for advice on how to fix that. Check Your Keychain Calls Once you’ve confirmed that your app has the entitlements to access the expected keychain access group, the next step is to confirm that you’re passing the correct access group to the keychain API. To do this, set a breakpoint on your keychain calls. For example, in the following code snippet you would set a breakpoint on the last line: let query: NSDictionary = [ kSecClass: kSecClassGenericPassword, kSecAttrService: "myService", kSecAttrAccount: username, kSecAttrAccessGroup: "SKMME9E2Y8.example.apple-samplecode.testkeychain.shared", kSecMatchLimit: kSecMatchLimitAll, kSecReturnData: true, ] var copyResult: CFTypeRef? = nil let err = SecItemCopyMatching(query, &copyResult) Note See Change in Query Behaviour (below) for an interesting edge case here. When you hit the breakpoint, use the debugger to print the query dictionary: (lldb) p query (NSDictionary) $R4 = 0x0000600000fedb00 6 key/value pairs { … [5] = { key = 0x0000000111838958 "agrp" value = "SKMME9E2Y8.example.apple-samplecode.testkeychain.shared" } } Here the agrp attribute holds the keychain access group being searched (agrp is the value of kSecAttrAccessGroup). It must either be not present, in which case you get the default behaviour discussed below, or included in the list of entitlements as determined by the previous section. If it’s some other value, trace the origin of that bad value and correct it. If the kSecAttrAccessGroup attribute is missing, you will see one of three behaviours: For query dictionaries, like the one passed to SecItemCopyMatching, the system interprets a missing value as a wildcard, that is, the query will match an item in any access group that you have access to. For SecItemAdd, the system will use your app’s default keychain access group, that is, the first entry in the list of entitlements as determined by the previous section. For the second parameter of SecItemUpdate, a missing value indicates that it should not change the keychain access group attribute. Change in Query Behaviour In the example above I used SecItemCopyMatching to illustrate how to check the access group used by a call. This brings up an interesting change in behaviour when you pass in an access group that you’re not entitled to access: In iOS 13 and later, the call will fail with errSecMissingEntitlement. In earlier systems, the call will simply cause the query to not match. The current behaviour is better because it makes is very likely that you’ll catch this mistake early.

Hello,I have been developing an iOS and macOS application that requires me to configure an LDAP address book programmatically. I have achieved this goal in my macOS application where I created a .mobileconfig file dynamically and installed it to system preferences.I want the same behavior for my iOS application but the .mobilconfig file I created for macOS is not working for iOS even if I add it manually.Is there any other way to programmatically configure LDAP in iOS?If so, Kindly help.Regards,Souvanik

Hi,we are currently trying to test universal links also on our development server which is behind a VPN. From my understanding, correct if I am wrong, I thought it is enough that during app installation, the corresponding device (iPhone) is also connected via VPN so that iOS is able to download the AASA file?But at the moment I am not able to test this successfully. So my question is, is that possible in general to put the file on a server which is only reachable via VPN, and if yes, what could be the error?Best regardsChris

Can someone please shed some light on the usage of `.or` &amp; `.and` flags? Though I am able to get the accomplish the entended result using `.userPresence`, I am trying to wrap my head around how to use `.or` &amp; `.and`. Can someone please provide an example on correct usages of these options?

Hi, I am unable to figure out how to set the tls protocol version. This is part of the code I am using:let tlsOptions = NWProtocolTLS.Options() sec_protocol_options_add_pre_shared_key(...) sec_protocol_options_add_tls_ciphersuite(tlsOptions.securityProtocolOptions, TLS_PSK_WITH_AES_128_GCM_SHA256) sec_protocol_options_set_min_tls_protocol_version(tlsOptions.securityProtocolOptions, tls_protocol_version_t.DTLSv12) let parameters = NWParameters(dtls: tlsOptions) connection = NWConnection(host: ..., port: NWEndpoint.Port(rawValue: 2100)!, using: parameters) connection.start(queue: .main)When I run this code I get the following log errors:2019-10-19 14:30:31.628250+0200 MyApp[4906:117290] [BoringSSL] boringssl_helper_tls_protocol_version_from_SSLProtocol(111) [C6:1][0x7fd33fc4d4f0] Unknown SSLProtocol version: 11 2019-10-19 14:30:31.649137+0200 MyApp[4906:117290] [BoringSSL] boringssl_context_handle_fatal_alert(1874) [C6:1][0x7fd33fc4d4f0] read alert, level: fatal, description: bad record mac 2019-10-19 14:30:31.650008+0200 MyApp[4906:117290] [BoringSSL] boringssl_session_handshake_error_print(111) [C6:1][0x7fd33fc4d4f0] 140546626918936:error:100003fc:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_RECORD_MAC:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.40.1/ssl/tls_record.cc:587:SSL alert number 20 2019-10-19 14:30:31.650105+0200 MyApp[4906:117290] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(724) [C6:1][0x7fd33fc4d4f0] handshake failed at state 12288It appears that the tls protocol version is unknown (see first log line). This is the function I am using to set the version: https://developer.apple.com/documentation/security/3180218-sec_protocol_options_set_min_tlsI am using the `tls_protocol_version_t.DTLSv12` constant so why does this show an error? I was unable to find any documentation/samples using DTLS so I might be doing something wrong. Is this the correct way to use DTLS?

One customer has raised a complaint saying that her apple id have been compromised after using our app. She also said that her apple id had been accessed from some other location. We are not accessing user's account details inside the app (We are not even using auto fill passwords or OTP). We are accessing camera, Photo Library, Location and Notification for accessing all of these we are getting proper permission from the user. How to solve this issue.

We are trying to write a command line tool that will setup a VPN tunnel following a customized protocol.One step is making sure that the client is starting the connection from a company MacBook by responding to a challenge by signing it with a private key stored in the secure enclave. For the communication with the secure enclave we want to use the EllipticCurveKeyPair project.When we first ran our tool and tried to access the secure enclave, we got an error thrown from the EllipticCurveKeyPair manager:underlying(message: "Could not generate keypair.", error: Error Domain=NSOSStatusErrorDomain Code=-34018 "Could not generate keypair." UserInfo={NSLocalizedRecoverySuggestion=See https://www.osstatus.com/search/results?platform=all&amp;amp;framework=all&amp;amp;search=-34018, NSLocalizedDescription=Could not generate keypair.}).which refers to the errorerrSecMissingEntitlement-34018Internal error when a required entitlement isn't present.So, we figured that entitlements are missing to access the secure enclave.To resolve this, we tried to apply the settings of the EllipticCurveKeyPair MacOS demo project to our MacOS command line tool project. So, we added the capability App Sandbox and configured the entitlements keychain-access-groups, com.apple.security.get-task-allow, com.apple.security.files.user-selected.read-only, as in?xml version="1.0" encoding="UTF-8"?&amp;gt; &amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;gt; &amp;lt;plist version="1.0"&amp;gt; &amp;lt;dict&amp;gt; &amp;lt;key&amp;gt;com.apple.application-identifier&amp;lt;/key&amp;gt; &amp;lt;string&amp;gt;####&amp;lt;/string&amp;gt; &amp;lt;key&amp;gt;com.apple.developer.game-center&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.developer.team-identifier&amp;lt;/key&amp;gt; &amp;lt;string&amp;gt;####&amp;lt;/string&amp;gt; &amp;lt;key&amp;gt;com.apple.security.app-sandbox&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.files.user-selected.read-only&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.get-task-allow&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;keychain-access-groups&amp;lt;/key&amp;gt; &amp;lt;array&amp;gt; &amp;lt;string&amp;gt;####&amp;lt;/string&amp;gt; &amp;lt;/array&amp;gt; &amp;lt;/dict&amp;gt; &amp;lt;/plist&amp;gt;With the sandbox configured we run into the next problems:When we execute the tool in Xcode, Xcode will halt execution, and display an error message in the debugger, some place in the code where the sandbox appears to be initialized:Thread 1: EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)We made sure that our tool uses a bundleID on its own to avoid sandbox initialization issues arising from multiple apps using the same bundle ID.When we execute the tool from the command line, we get the errorIllegal instruction: 4When using codesign -d --entitlements - CmdLineTool we get this list of entitlements&amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;gt; &amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;gt; &amp;lt;plist version="1.0"&amp;gt; &amp;lt;dict&amp;gt; &amp;lt;key&amp;gt;com.apple.security.app-sandbox&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.files.user-selected.read-only&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.get-task-allow&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;/dict&amp;gt; &amp;lt;/plist&amp;gt;Also, we read through the articles available here:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.htmlhttps://eclecticlight.co/2019/01/15/code-signing-for-the-concerned-1-why/ and following articlesNow the question:How do we have to proceed to get access to the secure enclave from a command line tool to create key pairsuse private keys to sign / encrypt stringsIs it necessary or even possible to configure App Sandbox for the command line tool?Thanks for any help!

Hi,I'm working on the output of method `distinguishedNames` that available under challenge.protectionSpace when my application receieve callback from the server (didReceieveChallenge) of type NSURLAuthenticationMethodClientCertificate. In this case the server ask for certificate from the client that was signed by issuer from the issuersList provided by the server.The method challenge.protectionSpace.distinguishedNames returns as a DER encoded data, and I wish to decode it and get the issuer distiguished name.Since openssl is no longer native mac code, i turned to SecAsn1Decode and realized that it also expect to have a template of the DER format (SecAsn1Template).. so I pretty much need to have the formatted layout before I want to decode an instance formatted in this way.Conceptually, I'm not sure I understand why this template is really needed, because the DER format explain the format by itself.I've tested my assumption by copying the output of distinguishedNames and using asn.1 online converter to human readble text, and it revealed the format by itself.here's the input :30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4931 0F 30 0D 06 03 55 04 08 0C 06 62 62 62 62 626C 31 0C 30 0A 06 03 55 04 07 0C 03 54 4C 56 310B 30 09 06 03 55 04 0A 0C 02 54 53 31 1E 30 1C06 03 55 04 0B 0C 15 43 41 5F 63 65 72 74 69 6669 63 61 74 65 5F 73 65 72 76 65 72 31 1B 30 1906 03 55 04 03 0C 12 62 62 62 62 62 73 5F 4D 6163 42 6F 6F 6B 5F 50 72 6F 31 16 30 14 06 09 2A86 48 86 F7 0D 01 09 01 16 07 7A 40 7A 2E 63 6F6Dand the output :SEQUENCE (7 elem) SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component) PrintableString II SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.8 stateOrProvinceName (X.520 DN component) UTF8String bbbbbl SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.7 localityName (X.520 DN component) UTF8String TLV SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component) UTF8String TS SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component) UTF8String CA_certificate_server SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component) UTF8String bbbbbs_MacBook_Pro SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 1.2.840.113549.1.9.1 emailAddress (PKCS #9. Deprecated, use an altName extension instead) IA5String z@z.comSo perhaps anyone can thing of a good reason why is the template is needed ? and if so, how do i generate it for my specific example.Thanks !

Hi,We have deployed the Intune MAM/MDM in our organisation for iPhone (iOS) and Android devices, in this policy we have enabled the data protection that user will not be able to paste copied data from policy managed app (e.g. MS Outlook, OneDrive, Teams etc).Now due to this we are not able to paste copied data in iOS contact apps, As per the Microsoft we have to exclude this iOS native contact apps by adding URL protocol in Intune MAM policy.We are requesting you to please share the URL protocol for iOS contact app so we can exclude this app.Ref:-https://docs.microsoft.com/en-us/intune/apps/app-protection-policy-settings-ios#data-transfer-exemptionshttps://docs.microsoft.com/en-us/intune/apps/app-protection-policies-exception (Refer section “iOS data transfer exceptions”)