iOS: Push a client-identity certificate for use by third-party app?

rbelton
New here

iOS: Push a client-identity certificate for use by third-party app?

I'm an iOS developer who's very new to Meraki. I have a few basic questions that I'm having trouble answering:

  1. Is it possible to have Meraki install a client-identity certificate onto a managed iOS device, in a way that it will be available in Keychain to my third-party app (and would that app have to be managed/pushed by MDM)?
  2. If so, how would I configure that in Meraki?
  3. Is there something I need to configure in my app to give it access to the certificate? The Keychain Sharing entitlement, possibly? If so, where is that documented and what identifier should be specified?

 

What I've found/done so far:

 

I've created a certificate, tried to install it via MDM and retrieve it at runtime in my app. So far I haven't succeeded and I don't know where the failure is. I suspect one of two configuration issues:

  • The certificate isn't actually installed on the device
  • The certificate is installed, but my app doesn't have access to it in the Keychain (shouldn't I still see it somewhere in Settings, though--alongside or near the "main" certificate associated with the profile?)

 

Per Apple (emphasis mine):

"...identities can be pushed from a Mobile Device Management (MDM) server. However, identities installed in any of these ways are added to the Apple keychain access group.

Apps can only access keychain items in their own keychain access groups. This means that items in the Apple access group are only available to Apple-provided apps such as Safari or Mail."

That reads like a definitive "not possible" to me. However, in the place in System Manager where I think I'm supposed to associate a certificate with a profile (Systems Manager -> Settings -> Add settings -> New Credential), I see this:

 System Manager

 

Does the circled statement contradict what Apple says is possible, or am I missing a core concept? If this "shared keychain" is really a "keychain access group", how do I make my app privy to that group? I am aware of the "Keychain Sharing" entitlement, but Apple's documentation seems to say that this is for apps from the same developer, which must share a "root" bundle ID. So that doesn't seem like a possibility here. In any case, if this entitlement somehow is the correct route, I need to specify an identifier for it. Does anyone know where that is documented?

 

If this "shared keychain" refers to some other mechanism that has nothing to do with "Keychain Sharing", what is that mechanism called and how do I use it? What am I missing?

 

I supposedly associated the "Cert" you see in the left-hand panel with the selected profile, and I can see in device settings that this profile seems to be installed on my device. Again, though, I can't find the certificate in question when I navigate around Settings -> Profiles and Identities. Should I expect to?

 

In my app, I'm using a snippet (gist) I borrowed from an Apple sample project. From what I understand about Keychain/Security, it should be retrieving any "client identities" that my app is privileged to. I still need to prove that assumption to myself, but I suspect the problem doesn't lie there.

 

Any information is greatly appreciated! I'm happy to provide any additional details, screenshots, etc. that would be helpful.

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I definitely don't know the answer.

 

Have you considered using something like SCEP in your application and having it self enrol and get a certificate itself?

 

rbelton
New here

Thanks for the reply! I don't know anything about SCEP except what I just read on Wikipedia; I'll ask my teammates if it's a possibility.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels