SecItemCopyMatching does not find keychain item in User Enrolment mode while using NEAppProxyProvider VPN

Our NEAppProxyProvider is implemented in a network extension that successfully installs and operates using our normal MDM installation methods, but fails to locate the necessary identity certificate using the certificate reference passed by the OS when installed using the Apple User Enrolment feature. Although the reference is non-null, calling SecItemCopyMatching() using this persistentIdentityRef fails with status "-25300" - the identity cannot be found in the keychain. These identical issues have already been reported to Apple (see https://forums.developer.apple.com/thread/132295 and https://forums.developer.apple.com/thread/123374 ). We have been distributing this product for many years and have all the proper entitlements, so that is not the issue. This appears to be a bug rather than a design decision, since we are passed a persistent identity reference - if the intention was to simply deny us the ability to operate, obviously the OS should pass a NULL reference.

Everything just works fine in Device Enrolment mode and the issue is seen only in user enrolment mode.

Please let us know the best way to proceed and fix this issue.

Up vote post of shyamjimishra Down vote post of shyamjimishra
797 views
Posted by
shyamjimishra
Reply
Add a Comment

Replies

So you have the com.apple.managed.vpn.shared entitlement and now your app is no longer able to access assets in the System Keychain that were distributed through MDM, but you previously were able to? Can you confirm?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Hi @meaton,

Yes, We have com.apple.managed.vpn.shared entitlement.

As mentioned in the problem statement, We are not able to access the keychain item only if we are using user enrolment mode.

When we use the Device enrolment mode We are able to access the keychain item and everything works fine.

The problem happens only in the user enrolment mode. So far we haven't been able to make it work in user enrolment mode.

Posted by
shyamjimishra
Up vote reply of shyamjimishra Down vote reply of shyamjimishra
Add a Comment

Yes, We have com.apple.managed.vpn.shared entitlement. As mentioned in the problem statement, We are not able to access the keychain item only if we are using user enrolment mode.

Okay, if you were previously able to access the Keychain item in user enrollment mode, then I would absolutely get a bug report down for this.

Please follow up with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • Hi @meaton,

    I have already logged a bug on the feedback assistance for the same. Below is the feedback Id: https://feedbackassistant.apple.com/feedback/9788204 Don't see any activity there.

    shyamjimishra

  • Thank you for adding the Feedback ID. As of now there is nothing new to share, but please keep your bug report updated as you continue to test with the latest beta releases.

    meaton
Add a Comment