We are interested in using a hardware-bound key to sign requests made to a server prior to a user being logged in. We would do this using a launch daemon. The goal here is to have a high degree of assurance that a request came from a particular device.
The normal way to do this would be with a private key in the Secure Enclave.
Based on these threads: https://forums.developer.apple.com/forums/thread/719342
https://forums.developer.apple.com/forums/thread/115833
and the write-up about the Data Protection Keychain, it doesn't appear possible with the SE. Rather, it seems that we must wait until we have a logged-in user context before we can use the SE.
My questions are:
- am I correct in that the SE is not usable in the system context prior to login?
- is there any other way on macOS to sign a request in such a way that we know it comes from a specific device?
Thanks.
am I correct in that the SE is not usable in the system context prior to login?
Correct, presuming that we’re talking about general-purpose signing from third-party code.
We are interested in using a hardware-bound key to sign requests made to a server prior to a user being logged in.
This kinda sounds a bit IdP-ish. If so, there might be an answer for you in the Platform SSO space.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"