Is there a way for MDM to push a unique mTLS certificate w/ our Application?

Hi,

It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed?

Thanks,

Ying

Answered by Device Management Engineer in 791658022

Since you mention mTLS, I think you're referring to an identity (certificate plus matching private key). MDM does not have a way to provide MDM-provisioned identities to managed apps.

There's managed app config for providing arbitrary app-defined configurations to managed apps, however that's not appropriate for sensitive data like private keys. To use that you would need to somehow turn that into a secure communication channel.

how do browser mTLS certs get pushed?

Installing an identity via configuration profile or MDM installs it into a keychain access group which Safari and various system processes can access. Some other browsers have their own mechanisms for obtaining identities.

Since you mention mTLS, I think you're referring to an identity (certificate plus matching private key). MDM does not have a way to provide MDM-provisioned identities to managed apps.

There's managed app config for providing arbitrary app-defined configurations to managed apps, however that's not appropriate for sensitive data like private keys. To use that you would need to somehow turn that into a secure communication channel.

how do browser mTLS certs get pushed?

Installing an identity via configuration profile or MDM installs it into a keychain access group which Safari and various system processes can access. Some other browsers have their own mechanisms for obtaining identities.

Is there a way for MDM to push a unique mTLS certificate w/ our Application?
 
 
Q