When our app makes an API call to our backend service, we want the app to provide a client certificate in the call.
What API and mechanism we can use so that our app (iOS app store, and Mac with Developer ID) to read a client certificate present in the Keychain.
Please note that the client certificate will be put in the Keychain by an external MDM process. Not sure if an iOS or Mac app can read client certificates from Keychain which they have not put it there in the first place.
I’m presuming that you mean digital identity rather than certificate, because access to just the certificate isn’t going to help you much. I talk about that distinction in detail in TLS for App Developers.
To start, I’m gonna focus on iOS. When you install a digital identity on iOS via MDM, the identity is placed into an Apple-only keychain access group. Third-party apps don’t have access to that group. QA1745 Making Certificates and Keys Available To Your App documents that limitation.
There’s one key exception to this rule. A digital identity that’s referenced by an NE configuration profile is placed into a special keychain access group, com.apple.managed.vpn.shared
. It’s possible for third-party NE apps to get access to this group. See point #9 in Network Extension Framework Entitlements.
So, if your app contains an NE provider and the digital identity is installed by the same configuration profile as your NE configuration and you’re approved to use com.apple.managed.vpn.shared
, you should be able to get that to work on iOS.
The story in macOS is more nuanced. To start, com.apple.managed.vpn.shared
is a non-starter on macOS, because:
-
com.apple.managed.vpn.shared
is a data protection keychain concept. See TN3137 On Mac keychain APIs and implementations for an explanation of what that means. -
Your macOS product uses Developer ID, so it must be a system extension.
-
System extensions run in the global context, like a
launchd
daemon. -
Code running in that context can’t access the data protection keychain. TN3137 documents that limitation.
However, I’m not entirely sure whether that matters, because last I checked, macOS places digital identities installed by MDM into the file-based keychain. Specifically, if the profile is installed globally, it should go into the System keychain.
The challenge there is access control. The file-based keychain implements access control via an ACL. You’ll only be able to use the identity if you’re listed on the ACL. Honestly, I’m not sure whether the profile import mechanism adds your NE provider to the ACL when the digital identity is associated with an NE configuration.
Unfortunately it’s hard for me to do a realistic test of this. However, it’s something you should be able to test at your end:
-
Install your app on a managed Mac.
-
And install its sysex.
-
Use Apple Configurator to create a configuration profile that configures your NE provider using Certificate [sic] authentication.
-
Use MDM to push that to your Mac.
-
Use Keychain Access to see where the digital identity landed, and what its ACL looks like.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"