Enterprise security products often need to establish trust for a locally generated root CA in order to implement features such as web filtering, traffic inspection, data loss prevention, or compliance controls.
Our solution generates a unique CA certificate and private key on each managed Mac. The application then issues leaf certificates as needed and signs them with the device-specific CA. Using a unique CA per device helps avoid the security risks associated with deploying a shared CA private key across all managed endpoints.
However, since macOS Big Sur, modifying trust settings for certificates in the System keychain (for example, setting a root CA to Always Trust) requires user interaction and administrator authorization. Even privileged processes cannot silently establish trust for a newly installed root CA. This creates deployment challenges in enterprise environments, particularly when:
- End users do not have administrator privileges.
- The CA must be unique per device.
- The private key must remain accessible to the security application while being protected from other applications.
We have considered several approaches, but each appears to have significant limitations:
- Shared CA across all devices: introduces risk because compromise of the private key affects the entire fleet.
- Per-device PKCS#12 deployment with private key accessible: other local processes may be able to use the key.
- Per-device PKCS#12 deployment with private key protected: application access may require additional user approval, reducing deployment automation.
Questions:
- Is there an MDM-supported mechanism for establishing trust for a device-specific root CA without requiring local administrator interaction?
- Are there recommended enterprise deployment patterns for applications that need both: a device-specific CA private key, and trusted root status for the corresponding CA certificate?
- Are there plans to expand MDM capabilities related to certificate trust management or keychain trust settings for managed Macs?
- What is Apple's recommended approach for enterprise security products that need to deploy device-specific trusted CAs while maintaining strong protection of the associated private keys?
You want your solution to generate a CA and protect the private key, and have the Mac trust the CA.
If the device is not managed, trusting the CA requires user interaction and administrator authorization as you point out. This requirement is not likely to change because it is critical for security.
If the device is managed, the MDM server can install and trust the certificate silently. I can imagine a couple different architectures where this would work. I think in practice this may be difficult for your use case because this would require some custom integration between your solution and the MDM server. Does your solution involve managing the devices? Do you have a device management service partner? If so, I can describe some options.
Either way, I suggest filing feedback describing your solution and the problem you're running into.