SecItemCopyMatching does not find keychain item in User Enrolment mode while using NEAppProxyProvider VPN

Our NEAppProxyProvider is implemented in a network extension that successfully installs and operates using our normal MDM installation methods, but fails to locate the necessary identity certificate using the certificate reference passed by the OS when installed using the Apple User Enrolment feature. Although the reference is non-null, calling SecItemCopyMatching() using this persistentIdentityRef fails with status "-25300" - the identity cannot be found in the keychain. These identical issues have already been reported to Apple (see https://forums.developer.apple.com/thread/132295 and https://forums.developer.apple.com/thread/123374 ). We have been distributing this product for many years and have all the proper entitlements, so that is not the issue. This appears to be a bug rather than a design decision, since we are passed a persistent identity reference - if the intention was to simply deny us the ability to operate, obviously the OS should pass a NULL reference.

Everything just works fine in Device Enrolment mode and the issue is seen only in user enrolment mode.

Please let us know the best way to proceed and fix this issue.

So you have the com.apple.managed.vpn.shared entitlement and now your app is no longer able to access assets in the System Keychain that were distributed through MDM, but you previously were able to? Can you confirm?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi @meaton,

Yes, We have com.apple.managed.vpn.shared entitlement.

As mentioned in the problem statement, We are not able to access the keychain item only if we are using user enrolment mode.

When we use the Device enrolment mode We are able to access the keychain item and everything works fine.

The problem happens only in the user enrolment mode. So far we haven't been able to make it work in user enrolment mode.

Yes, We have com.apple.managed.vpn.shared entitlement. As mentioned in the problem statement, We are not able to access the keychain item only if we are using user enrolment mode.

Okay, if you were previously able to access the Keychain item in user enrollment mode, then I would absolutely get a bug report down for this.

Please follow up with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
SecItemCopyMatching does not find keychain item in User Enrolment mode while using NEAppProxyProvider VPN
 
 
Q