Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility
Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store
We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices.
Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to:
- Confirm cert presence in the MDM-managed keychain
- Read expiry date (
kSecAttrNotValidAfter) to warn users before expiry - Distinguish between missing, expired, and valid cert states
What we have tried:
- Standard
SecItemCopyMatchingquery — returns only app-installed certs, not MDM-pushed certs - Graph API (
deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence
Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM.
Questions:
- Is
com.apple.managed-keychainthe correct entitlement for this use case? - Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items?
- Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement?
Any guidance from the community or Apple engineers would be appreciated.
Is com.apple.managed-keychain the correct entitlement for this use case?
I don’t think so. I’ve never even heard of that before, and there’s certainly no documented way to apply for it.
the cert profile configured as "always available" in MDM.
Again, that’s not something I’m aware of.
It’s possible that you’re talking about the AllowAllAppsAccess property, as documented here. If so, that’s a Mac-only thing.
In general, iOS apps cannot access credentials installed via MDM configuration profiles [1].
Historically, folks with this general requirement didn’t have a good path forward. These days we have an excellent new option, the ManagedApp framework. It’s super cool. For a short intro, watch WWDC 2025 Session 203 Get to know the ManagedApp Framework.
However, I don’t think it’ll help you, because your app is specifically concerned with the state of credentials there were installed for the benefit of Mail. Given that, I suspect you might have more luck achieving your goals on the MDM side rather than trying to do this in an app on the client.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] I’m specifically referring to the com.apple.security.pkcs12 payload and the com.apple.security.pkcs1 payload. Those credentials go into an Apple-only keychain access group.
OTOH, if you install a root certificate using the com.apple.security.root payload that gets placed in the trust store. Apps don’t have direct access to those, but they affect trust evaluation and thus an app can access them indirectly.
Apps can also access other credentials, like SSO credentials, implicitly.