Hi,
It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed?
Thanks,
Ying
Since you mention mTLS, I think you're referring to an identity (certificate plus matching private key). MDM does not have a way to provide MDM-provisioned identities to managed apps.
There's managed app config for providing arbitrary app-defined configurations to managed apps, however that's not appropriate for sensitive data like private keys. To use that you would need to somehow turn that into a secure communication channel.
how do browser mTLS certs get pushed?
Installing an identity via configuration profile or MDM installs it into a keychain access group which Safari and various system processes can access. Some other browsers have their own mechanisms for obtaining identities.
With the release of the new ManagedApp framework in iOS 18.4, iPadOS 18.4, and visionOS 2.4, there's now a way for an MDM server to provision identities for managed apps and their app extensions. See the ManagedApp Framework documentation.
