Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?
I can’t really speak to the MDM side of this but, in general, it’s not possible to change the ACL on a keychain item without user interaction [1]. The issue is that every keychain item starts out with a default ACL and that default ACL has an entry that requires user interaction to change the ACL. The only way to avoid this is to create the item with a non-default ACL, but if you’re sufficiently on the ball to do that then you might as well just create the item with the right ACL up front.
On iOS you can avoid this entire issue by leaning into the ManagedApp framework. Unfortunately that’s not available on macOS )-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] To be clear, ACLs are only relevant to file-based keychains, including the System keychain. macOS also supports the data protection keychain, and ACLs are irrelevant there. See TN3137 On Mac keychain APIs and implementations for more background on that.