I believe it is not possible to use SMAppService.agent from a process that is not running in the console. That is why you can get it to work when you launch it, but not when installing from an MDM. https://forums.developer.apple.com/forums/thread/737038

It looks like you are trying to import data in PKCS12 format. There is an API for doing that SecPKCS12Import. Are you considering if the private key blob needs a password?

Have you looked at SecPKCS12Import? I use this for my mutual auth and it works fine. Much less code too.

I think your trouble is due to sandboxing the launch daemon. I have a launch daemon that is not sandboxed, and it can use the System keychain, but has to run as root. Not ideal but the keychain stuff works fine for creating keypairs, using them for encrypt/decrypt and for adding an internet password. I wish Apple had better support for launch daemon access to their own private keychain. They should support a launchd plist key pointing to a keychain, and an entitlement to get unlocked access to it. The system should enforce that only the launch daemon can read the keychain file/db based on developer provided code signing requirements for the keychain.

I have modified QAuthPlugins to verify the issue with SecStaticCodeCheckValidityWithErrors. I have filed a bug report FB14783775 "SecurityAgentPlugin can't verify NSXPCConnection using setCodeSigningRequirement."

It turns out that a security agent plugin can't even verify a signature using SecStaticCodeCheckValidityWithErrors.

It appears that the trust evaluation fails. I assume that my security agent plugin is failing to trust the code signing cert chain used to sign my launch daemon.

More log details: com.apple.securityd debug 09:13:29.674468-0500 SecurityAgentHelper-arm64 staticCode SecStaticCode network default: NO com.apple.securityd debug 09:13:29.674577-0500 SecurityAgentHelper-arm64 staticCode SecStaticCode network blocked: YES com.apple.securityd debug 09:13:29.674621-0500 SecurityAgentHelper-arm64 staticCode SecStaticCode network blocked: YES com.apple.securityd debug 09:13:29.674952-0500 SecurityAgentHelper-arm64 staticCode SecStaticCode network blocked: YES com.apple.securityd debug 09:13:29.675103-0500 SecurityAgentHelper-arm64 xpc no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query} com.apple.securityd default 09:13:29.675178-0500 SecurityAgentHelper-arm64 SecCritical Failed to talk to trustd after 4 attempts. com.apple.securityd debug 09:13:29.675329-0500 SecurityAgentHelper-arm64 xpc no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query} com.apple.securityd default 09:13:29.675394-0500 SecurityAgentHelper-arm64 SecCritical Failed to talk to trustd after 4 attempts. com.apple.securityd default 09:13:29.675448-0500 SecurityAgentHelper-arm64 SecError Trust evaluate failure: com.apple.securityd debug 09:13:29.675542-0500 SecurityAgentHelper-arm64 xpc no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query} com.apple.securityd default 09:13:29.675599-0500 SecurityAgentHelper-arm64 SecCritical Failed to talk to trustd after 4 attempts. com.apple.securityd default 09:13:29.675859-0500 SecurityAgentHelper-arm64 security_exception MacOS error: -2147409622 com.apple.securityd debug 09:13:29.676340-0500 SecurityAgentHelper-arm64 security_exception 0 Security 0x000000019ccd6108 Security::CommonError::LogBacktrace() + 124 com.apple.securityd debug 09:13:29.676376-0500 SecurityAgentHelper-arm64 security_exception 1 Security 0x000000019ccd66bc Security::MacOSError::MacOSError(int) + 340 com.apple.securityd debug 09:13:29.676403-0500 SecurityAgentHelper-arm64 security_exception 2 Security 0x000000019ccd672c Security::MacOSError::throwMe(int) + 40 com.apple.securityd debug 09:13:29.676430-0500 SecurityAgentHelper-arm64 security_exception 3 Security 0x000000019cbba528 Security::CodeSigning::SecStaticCode::validateDirectory() + 3368 com.apple.securityd debug 09:13:29.676457-0500 SecurityAgentHelper-arm64 security_exception 4 Security 0x000000019cbbd8b4 Security::CodeSigning::SecStaticCode::validateNonResourceComponents() + 24 com.apple.securityd debug 09:13:29.676484-0500 SecurityAgentHelper-arm64 security_exception 5 Security 0x000000019cba7124 Security::CodeSigning::SecCode::checkValidity(unsigned int) + 368 com.apple.securityd debug 09:13:29.676508-0500 SecurityAgentHelper-arm64 security_exception 6 Security 0x000000019cbb0f18 SecCodeCheckValidityWithErrors + 88 com.apple.FileProvider debug 09:13:29.676702-0500 fileproviderd com.microsoft.OneDrive.FileProvider/O{21}s.com [DEBUG] ┣eda9 dispatching to <private> com.apple.securityd debug 09:13:29.676532-0500 SecurityAgentHelper-arm64 security_exception 7 support 0x0000000110242770 xpc_support_check_token + 416 com.apple.FileProvider debug 09:13:29.676764-0500 fileproviderd com.microsoft.OneDrive.FileProvider/O{21}s.com [DEBUG] ┳eda9 continuing on <private> com.apple.securityd debug 09:13:29.676558-0500 SecurityAgentHelper-arm64 security_exception 8 libxpc.dylib 0x00000001999632e0 _xpc_connection_check_peer_requirement + 428 com.apple.FileProvider debug 09:13:29.676820-0500 fileproviderd com.microsoft.OneDrive.FileProvider/O{21}s.com [DEBUG] ┗eda9 com.apple.securityd debug 09:13:29.676582-0500 SecurityAgentHelper-arm64 security_exception 9 libxpc.dylib 0x000000019994e420 _xpc_connection_handle_async_reply + 276 com.apple.FileProvider debug 09:13:29.676843-0500 fileproviderd com.microsoft.OneDrive.FileProvider/O{21}s.com Going full rescan for pending items after 57199.359297 com.apple.securityd debug 09:13:29.676605-0500 SecurityAgentHelper-arm64 security_exception 10 libdispatch.dylib 0x0000000199a8e468 _dispatch_client_callout3 + 20 com.apple.securityd debug 09:13:29.676630-0500 SecurityAgentHelper-arm64 security_exception 11 libdispatch.dylib 0x0000000199aabfc8 _dispatch_mach_msg_async_reply_invoke + 344 com.apple.securityd debug 09:13:29.676654-0500 SecurityAgentHelper-arm64 security_exception 12 libdispatch.dylib 0x0000000199a95898 _dispatch_lane_serial_drain + 368 com.apple.securityd debug 09:13:29.676723-0500 SecurityAgentHelper-arm64 security_exception 13 libdispatch.dylib 0x0000000199a96578 _dispatch_lane_invoke + 432 com.apple.securityd debug 09:13:29.676769-0500 SecurityAgentHelper-arm64 security_exception 14 libdispatch.dylib 0x0000000199aa12d0 _dispatch_root_queue_drain_deferred_wlh + 288 com.apple.securityd debug 09:13:29.676893-0500 SecurityAgentHelper-arm64 security_exception 15 libdispatch.dylib 0x0000000199aa0b44 _dispatch_workloop_worker_thread + 404 com.apple.securityd debug 09:13:29.677000-0500 SecurityAgentHelper-arm64 security_exception 16 libsystem_pthread.dylib 0x0000000199c3b00c _pthread_wqthread + 288 com.apple.securityd debug 09:13:29.677098-0500 SecurityAgentHelper-arm64 security_exception 17 libsystem_pthread.dylib 0x0000000199c39d28 start_wqthread + 8 error 09:13:29.677278-0500 SecurityAgentHelper-arm64 <Missing Description> xpc_support_check_token: <private> error: <private> status: -2147409622 com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

It looks like this is a case where I want to restart the login process. I am now calling RequestInterrupt instead of setting the result. Everything works correctly now.

I have another issue though. When user clicks cancel, my view stays on the screen and the initial login view is presented over it. How to fix this? My plugin sets the result to .userCanceled but I never get a deactivate or destroy call.

I was indeed a case of my plugin view not getting released.

LoginUIAuthPlugin does not show this issue. I think that my view has a reference keeping it retained. Trying to track this down now.