I am developing a macOS system service (standalone binary running as a LaunchDaemon) that requires the ability to sign data using a private key which will be deployed via MDM.
The Setup:
Deployment: A .mobileconfig pushes a PKCS12 identity to the System Keychain.
Security Requirement: For compliance and security reasons, we cannot set AllowAllAppsAccess to <true/>. The key must remain restricted.
The Goal: I need to use the private key from the identity to be able to sign the data
The Problem:
The Certificate Payload does not support a TrustedApplications or AccessControl array to pre-authorize binary paths.
As a result, when the process tries to use the private key for signing (SecKeyCreateSignature), it prompts the user to allow this operation which creates a disruption and is not desired.
What i've tried so far:
Manually adding my process to the key's ACL in keychain access obviously works and prevents any prompts but this is not an "automatable" solution.
Using security tool in a script to attempt to modify the ACL in an automated way, but that also asks user for password and is not seamless.
The Question:
Is there a documented, MDM-compatible way to inject a specific binary path into the ACL of a private key?
If not, is there a better way to achieve the end goal?