To start, I’m interpreting mTLS as mutual TLS.
The idea is that the client certificate is installed on the device from outside of the app, e.g. by MDM or AppleConfigurator.
This is the sticking point. Credentials installed in this way are placed in an Apple-only keychain access group and thus are unavailable to your app. QA1745 Making Certificates and Keys Available To Your App has more details on this.
You will need to find an alternative way to provision your app with your credentials. There’s a bunch of ways you can do this but in managed environments the best option IMO is to use Kerberos SSO. You have two ways to approach that:
You can configure your origin server to support Kerberos SSO and then you’re done.
If that’s not feasible — for example, because your origin server software doesn’t support Kerberos SSO — you can configure a second server that supports Kerberos SSO and, once authenticated, hands out the digital identity required to access the origin server. Your app can then first talk to that server to get the digital identity, and then use that to talk to the origin server.
ps Please do take the time to file an request for a better solution to this problem. This issue is a significant pain point for developers targeting a managed environment and, speaking personally, I’d love to see it get addressed. Your bug report will allow you to express your needs in your own terms, and allow iOS engineering to understand the level of demand here.
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"