Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.
Are you concerned about exporting a certificate? Or a digital identity?
For an explanation of the difference, see Certificate Signing Requests Explained.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
In my org, via MDM the macs of the employees are going to receive a certificate to validate their identity when they connect to the corporate network. We are wondering if there is a way to prevent users from exporting this certificate.
Presumably you’re talking about a digital identity here, ’cause a certificate shouldn’t contain any private information.
AFAIK Endpoint Security has no specific mechanism for authorising the export of private keys from the keychain.
The macOS keychain does have the concept of ‘extractable’, where a key that’s not extractable can’t be exported from the keychain. And, oh look, you can set that via the KeyIsExtractable property in the com.apple.security.pkcs12 payload.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
