I'm writing an application which is using a custom right to require that a user authenticate as an admin to access a specific part of my app, and I'm struggling with cases where smart card usage is enforced.
The simplest way is to use a custom right, but the dialog presented to the user gives no feedback that smartcard is required should they try to authenticate with password when the token isn't connected (i.e. a yubikey for example isn't plugged in to the USB bus)
Instead, in this case, the authentication dialog simply wobbles as though they hadn't entered the correct password.
It looks like the same is true of default macOS dialogs too such as unlocking a preference pane.
I've looked around the API docks to see if there's any other way I can do this, but I don't seem to find any API methods that explicitly state I want the user to authenticate with a PIV token?
Do I need to use CryptoTokenKit to send raw ADPU commands to a connected token to achieve this?
I was hoping I could use LAContext from LocalAuthentication to do this as it supports watch/fingerprint auth, but again I couldn't see any obvious sign of support for smartcards.
Post
Replies
Boosts
Views
Activity
I'm posting this here hoping somebody may have some ideas for solutions, or if they can point me to any useful resources. We want to be able to customise macOS installations created from the Virtualization framework for the purposes of driving automated testing of our software. In an ideal world these Virtual Machines become very much transitory, where they can be removed once they are finished with.
My company writes security software for enterprise customers leveraging the Endpoint Security framework, and one of the ways in which we ease the pressure on our QA team during regression testing is to use a lot of automation.
Given that the nature of automation testing is that you test systems against known configuration states, we have always made heavy use of Virtualized environments to ensure our test results are reliable.
With the progression of macOS over time it has made it ever more difficult to reduce the amount of manual setup required to ensure the virtualized macOS installation is in a ready state to begin testing.
For example, we currently have to join virtualized macs to an MDM server simply to be able to install configuration profiles that pre-authorize system extensions, or to send PPPC payloads to ensure our automation framework can work without the user having to manually approve PPPC requests for Accessibility access.
We also then have to manually install the test harness in the virtualized mac as there is no way for us to mount the disk image after OS installation (you can almost do this, but you cannot unlock the APFS volume due to needing to know a passphrase to unlock said disk which I presume the Virtualization framework has safely stored somewhere in a Keychain on the host system)
We would like some solution to being able to place configuration profiles in to a Virtualized mac (we would be happy for this to be available to Apple Silicon platform only, ignoring Intel) without having to involve an MDM, or as a next best thing, some way of instantiating the enrollment with an MDM from the host side, rather than the guest side, so that it behaves more similarly to DEP auto enrollment.
As things stand right now, there is no possibility of us using what would be our preferred solution of an IaC style definition declaring software test suite, and OS version to be created to run the tests, because we always have to instantiate test hosts manually by joining them to an MDM to deploy configuration profiles, and to install the test runner.