I am developing a macOS system service (standalone binary running as a LaunchDaemon) that requires the ability to sign data using a private key which will be deployed via MDM.
The Setup:
Deployment: A .mobileconfig pushes a PKCS12 identity to the System Keychain.
Security Requirement: For compliance and security reasons, we cannot set AllowAllAppsAccess to <true/>. The key must remain restricted.
The Goal: I need to use the private key from the identity to be able to sign the data
The Problem:
The Certificate Payload does not support a TrustedApplications or AccessControl array to pre-authorize binary paths.
As a result, when the process tries to use the private key for signing (SecKeyCreateSignature), it prompts the user to allow this operation which creates a disruption and is not desired.
What i've tried so far:
Manually adding my process to the key's ACL in keychain access obviously works and prevents any prompts but this is not an "automatable" solution.
Using security tool in a script to attempt to modify the ACL in an automated way, but that also asks user for password and is not seamless.
The Question:
Is there a documented, MDM-compatible way to inject a specific binary path into the ACL of a private key?
If not, is there a better way to achieve the end goal?
Is there a documented, MDM-compatible way to inject a specific binary path into the ACL of a private key?
No.
Our direction in this space is the ManagedApp framework. It’s super cool. For a short intro, watch WWDC 2025 Session 203 Get to know the ManagedApp Framework.
However, it won’t work for you because it’s not available on the Mac. Also note that its focus is on apps and app extensions, so it’s not clear how it would work for a launchd daemon.
If you’d like to see ManagedApp support your use case, I recommend that you file an enhancement request describing your requirements. And if you do that, please post your bug number, just for the record.
Beyond that, the only option that I’m aware for provisioning a daemon is via the super obscure <libmanagedconfigurationfiles.h> mechanism [1]. However, that’s really meant for configuration settings rather than credentials. You could obviously jam a credential into it, but that has significant drawbacks.
Anyway, for more details on this feature see WWDC 2023 Session 10041 Explore advances in declarative device management, starting around 19:20.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] So obscure that I had to ‘vgrep’ /usr/include to remember what it’s called.