Hi, I'm looking into ACME Managed Deice Attestation and was wondering about one of the values in the payload - AllowAllAppsAccess.
From the documentation: "If true, all apps have access to the private key" but what is the case that you would have this set to true? seems like it opens up the device to potentially malicious software.
Also, if this were set to true, how would an app access this private key when it is stored in the Secure Enclave? is there a specific tag that it is stored with?
The AllowAllAppsAccess
key is for macOS only. It only works for ACME payloads if HardwareBound
is false.
On macOS there are two keychain technologies.
The older file-based keychain supports AllowAllAppsAccess
but does not support hardware-bound keys. You can see items in the file-based keychain using the Keychain Access app. Third party apps can access these items if they were installed with AllowAllAppsAccess
set to true
.
The newer data protection keychain supports hardware-bound keys, and does not support AllowAllAppsAccess
. Third party apps and processes cannot access the identities that device management installs into the data protection keychain (with one exception for VPN extensions).
When installing an ACME payload on macOS it decides which keychain to use based upon the value of HardwareBound.
Other Apple OSes only have a data protection keychain and do not have a file-based keychain, so all items go into the data protection keychain.