Hi everyone,
I'm currently developing a custom authorization plugin for macOS and have encountered an issue that I need help with. I've modified the auth DB to use my custom plugin instead of the default login window. Although I'm able to set both the name and password as context values, the login process is failing, and I'm seeing the following error in the security agent log:
<string>builtin:prelogin</string>
<string>builtin:policy-banner</string>
<string>MyPlugin:login</string>
<string>MyPlugin:value</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>PSSOAuthPlugin:login-auth</string>
<string>loginwindow:done</string>
I am setting name and password in MyPlugin:login and also able to see same in MyPlugin:value mechanics.
2
2024-07-25 06:53:30.813047-0700 0x2e3b Info 0x0 822 0 SecurityAgentHelper-x86_64: (MyPlugin) *****The name and password is test and test1234****
But
2024-07-25 02:33:00.777530-0700 0x8772 Debug 0x0 1527 0 SecurityAgent: (MCXMechanism) [com.apple.ManagedClient:MCXSecurityPlugin] MCXSecurityAgent.invoke kAuthorizationEnvironmentName is NULL
2024-07-25 02:33:00.777530-0700 0x8772 Debug 0x0 1527 0 SecurityAgent: (MCXMechanism) [com.apple.ManagedClient:MCXSecurityPlugin] MCXSecurityAgent.invoke - user logging in is '(null)'
Has anyone encountered this issue before or have any insights into what might be causing the kAuthorizationEnvironmentName is NULL error and why the user logging in is shown as '(null)'? Any guidance or suggestions on how to resolve this would be greatly appreciated.
Post
Replies
Boosts
Views
Activity
Hello everyone,
I'm currently in the process of implementing platform SSO (Single Sign-On) in macOS and could use some guidance. I find myself a bit confused during the device registration phase, particularly because my Identity Provider (IdP) needs to support it. I'm wondering if Platform SSO will handle this automatically or if there are specific steps I need to take.
Additionally, I'm unsure whether I need to share the device signing and encryption key in my identity. Could someone please clarify this for me?
Finally, I would greatly appreciate it if someone could provide me with some sample code or starting pointers to help me get started on the right track. More into apart from OpenID, SAML protocol what else the Idp needs to change to support Platform SSO.
Thank you in advance for your assistance!
Dear Apple Support Team,
I hope this message finds you well. We are currently experiencing an issue with product signing on our build machine, specifically when utilising the productsign command. I would like to provide some context and seek your guidance on potential solutions.
We have developed a Mac product.
We employ the following productsign command to sign our package:
productsign --sign "Developer ID Installer: MyCompany, LLC (12345678)" My.pkg Mysigned.pkg
This process functions seamlessly on our local machines.
However, when attempting the same operation on our build machine, we consistently encounter the following error:
2023-09-29 04:39:54.925 productsign[98404:549470] SignData failed: Error Domain=NSOSStatusErrorDomain Code=-25308 "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION}
Error signing data.
productsign: error: Failed to sign the product.
It has come to our attention that the build machine utilizes SSH for code signing, which appears to be a contributing factor to this issue.
We have researched this matter and found several threads suggesting that unlocking the keychain before signing the product may resolve the problem. However, we are eager to explore alternative solutions and any updates or recommendations you may have.
Could you kindly advise if there are additional steps or configurations we should consider to address this issue? We would greatly appreciate any guidance you can provide on this matter.
Warm regards,
skappdevloper
I have created a custom username/password lock screen using SFAuthorizationPluginView. When lock the screen the view appears. The cursor start blinking in TextField. However, it always automatically dismiss in 20 second if ideal. I could see the Mechanism dealloc gets called and dismiss the view. Based on my investigation, I think the system kill the view in 20second, and there is no ways to increase that and keep the custom screen for more time. Any help will be appreciate.
We have 2 process in our macOS application
Daemon process written in golang
Swift application
Currently, the communication between both the process are done with Unix domain socket. However, we are seeing significant amount of delay when large amount of data communication. We are looking for some faster communication. Probably XPC is the answer. But not sure how to use XPC between two process which are written in different language. Any sample code would be great help.
I am migrating my Mac project to latest XCode. The project contains many custome keychain operation e.g SecKeyChainCreate, Lock, unlock etc. However, the latest. XCode showing the API are deprecated. What is the alternative of these API. I am not getting proper answer in Apple forum.
During MDM profile download, download is failed with error as Profile could not be decrypted. There is no change on profile creation in MDM server. Could you please share some pointer on this.
`Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : Profile could not be decrypted
Sugg : Decryption key for this profile is not installed.
US Desc: Profile could not be decrypted
US Sugg: Decryption key for this profile is not installed.
Domain : MCProfileErrorDomain
Code : 1006
Type : MCFatalError
...Underlying error:
NSError:
Desc : The operation couldn’t be completed. (OSStatus error -26275.)
Domain : NSOSStatusErrorDomain
Code : -26275`
I have recently started working macOS app from iOS background. In iOS when we delete the app, all app related items also gets removed/cleared. e.g UserDefault.
But it looks same is not happening incase of macOS app. The userdefault data is still there even though delete the app. Because if Installed the app after remove, Istill see old values saved in userdefault.
I wanted to notarise a mac dmg. To support notarise (app specific) password is needed. As per https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow/notarizing_apps_when_developing_with_xcode_12_and_earlier?language=objc
But I am able unable to create app specific password using https://support.apple.com/en-us/HT204397. The Edit option is not there in security option. And my apple id is managed apple id. So is it not possible to notarise a mac app if apple id is manged?
Hello Team,
I would like to get some feedback on below scenarios.
We are keeping certificate in mac os keychain to achieve Certificate Based Authentication with safari. We have our own logic to fetch and put the certs into keychain.
When open the safari browser, it ask for keychain access by prompting username/password. Successfully provided the keychain username and password.
The requested site opens without prompting for username and password.
This works for couple of days, after sometime even-though right certificate is there in keychain it prompt for username and password.Where the things started breaking.It should automatically login without prompting as we have correct certs in keychain.
For further isolation we tried same in other browser and didn't face the similar issue.
Only seeing the issue with Safari
Any input or help on this. As don't have control how safari accessing the keychain.