@Device Management Engineer,
Thank you so much for your quick response.
I tried to achieve the same using an MDM solution (namely : JAMF) without success.
Here is what I experienced :
1.: Importing a root CA can be done through JAMF, and it is marked as trusted
2.: Importing a non-root CA is also possible, but it cannot be marked as trusted using JAMF.
Would you happen to know of any MDM solutions that could support this functionality?
Thank you for your help in advance!
szigetics_nt
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
From
Switzerland
Post
Replies
Boosts
Views
Activity
Thank you for the detailed background!
Currently, our system performs signature verification on scripts before execution, ensuring the following condition is met:
The script originates from a specific trusted source.
When this checks is successful, we consider the script safe for execution
We provide a B2B solution to our customers, with an agent on all devices, which (among other things) enables e.g. L1 and L2 IT teams to execute (only) pre-written quality controlled and signed scripts. Our current implementation is similar to your point “4. Trust exceptions”, except that the customer remotely (ideally through MDM) marks the leaf explicitly as trusted, without interaction from the customer’s employees (device users). The leaf certificate for script signing comes from a public root CA trusted by Apple (as in “2. Built-in trusted root certificates”), so that parties untrusted by us and our customers can also request leaf certificates. For remote script execution, we only trust specific leaf certificates deployed on the device.
We are planning to move towards the approach you described as category "1. Custom implementation.".
However, we didn't anticipate the need to expedite this change due to Sonoma's new limitations on mass-deploying non-root CAs and marking them as trusted without user confirmation.
We have customers that already rely on the solution based on the KeyChain. We would like to provide them with a temporary workaround they can use immediately.
Is there a temporary workaround we could go with until we update our product to do "1. Custom implementation." ?
Your advice would be very helpful.