Deploying certificates with MDM currently has a major limitation that you can only deploy certificates into the login keychain of the "MDM user" which is normally the user present when the device was enrolled.
Does declarative device management certificate management address this at all?
On MacOS, MDM has a device channel and a user channel. The latter can be used to manage one local user only. Certificates installed on the device channel will go into the system keychain, and certificates installed on the user channel will go into the user (login) keychain of the (one) managed user. There is no way to target the keychains of other local users.
Since declarative device management is built into MDM, it uses the same device/user channel model that MDM has. So, as with MDM, a certificate installed by a configuration on the device channel will go into the system keychain, and one installed on the user channel will go into the user (login) keychain of the (one) managed user.
Thank you for the reply, i suppose the real fix here is being able to update the managed user for a device, with the changes to platform SSO to include local account creation post Apple setup and the current gap in ability to use SSO during Apple Setup to create a local account this seems to be a much needed feature.
