SSL Trust of mobileconfig Profile installed CA certificates

Our product creates signed mobileconfig Profiles which install root certificates on MacOS devices (via a "com.apple.security.root" payload).

For MacOS versions prior to Ventura the resulting certificates on the end user MacOS device's were marked as "Always Trust" for SSL in the trust details seen in Keychain Access.

On MacOS Ventura the same setting for SSL for the CA certificate is shown as "no value specified" in the trust details of Keychain Access.

The "no value specified" seems to result in web servers presenting certs chained to the CA not being trusted, at least in Safari. Is there any Profile based option to specify the provided CA certificate should be trusted (equivalent of "Always Trust") for SSL on Ventura?

STEPS TO REPRODUCE:

1) Via a mobileconfig based Profile, install a CA certificate via a "com.apple.security.root" payload 

2) Visit the resulting certificate entry in Keychain Access

3) Expand the "Trust" section/settings of the certificate

4a) Prior to MacOS Ventura all of the items such as "Secure Socket Layer (SSL)", "Secure Mail", etc were all marked as "Always Trust".

4b) In Ventura "Secure Socket Layer (SSL)" is marked as "no value specified" while all the other items are marked as "Always Trust"

Up vote post of cpndev Down vote post of cpndev
994 views
Posted by
cpndev
Reply
Add a Comment

Replies

Are you installing this profile via MDM? Or manually?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thank you for your reply. The Profile is installed manually, transported via a .mobileconfig file then accepted by the user in the Profiles screen within System Properties.

    cpndev
Add a Comment

Thank you for your response. The profile is installed manually. A .mobileconfig file is downloaded from a web interface and the user is instructed to install via the Profiles section within System Settings.

Posted by
cpndev
Up vote reply of cpndev Down vote reply of cpndev
Add a Comment

OK. This is more of a user-level question than a code-level question, which means I’m not really the right person to give you definitive answers. However, my understanding is that this is a deliberate change to bring macOS more in line with iOS. On iOS you have to manually trust a user-installed root certificate (in Settings > General > About > Certificate Trust Settings) and now that’s the case on macOS as well.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Did you figure out what the issue was here? I'm seeing this behavior just with a .mobileconfig created with Apple Configurator and not seeing how to change it. There must be a new plist key somewhere--this seems like a crucial thing to be able to make work, kind of a major reason to distribute CAs for internal PKI in the first place.

Posted by
matthewdw
Up vote reply of matthewdw Down vote reply of matthewdw
Add a Comment

Actually, I am seeing essentially the same behavior with the same trust profile .mobileconfig when installed on iOS 17. I have to go to Settings > About > Certificate Trust Settings, and slide the switch next to the root certificate under "ENABLE FULL TRUST FOR ROOT CERTIFICATES" in order for anything below it in a chain to be trusted for HTTPS/TLS.

This document describes this process, but it says "Certificate payloads are trusted for SSL automatically when installed with Configurator, MDM or as part of an MDM enrolment profile." This is apparently untrue, because I installed this profile on iOS 17 with Apple Configurator, and I installed it on macOS systems via MDM. Clearly there is another factor here that is required. (Full disclosure: my profile is currently unsigned, but the OP says his was signed... nevertheless the linked document does not specify that the profile must be signed. My iOS device is also unmanaged, but the macOS systems are MDM managed... but again, a managed device is not listed as a requirement at the above link)

I understand the need to very carefully protect installation of root certificates... but whatever has changed in Ventura (and apparently iOS 17) seems to be completely undocumented and no one thinks security-by-obscurity is a good policy. I also found a Jamf support post where a large group of users are baffled by this same problem. This is impacting a large chunk of important users in Apple's ecosystem...the documentation here--at a minimum--should be better on whatever the problem is here.

Posted by
matthewdw
Up vote reply of matthewdw Down vote reply of matthewdw
Add a Comment