We are interested in using a hardware-bound key to sign requests made to a server prior to a user being logged in. We would do this using a launch daemon. The goal here is to have a high degree of assurance that a request came from a particular device. The normal way to do this would be with a private key in the Secure Enclave. Based on these threads: https://forums.developer.apple.com/forums/thread/719342 https://forums.developer.apple.com/forums/thread/115833 and the write-up about the Data Protection Keychain, it doesn't appear possible with the SE. Rather, it seems that we must wait until we have a logged-in user context before we can use the SE. My questions are: am I correct in that the SE is not usable in the system context prior to login? is there any other way on macOS to sign a request in such a way that we know it comes from a specific device? Thanks.

We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow. An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration. The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option? Thanks!

In our implementation of Platform SSO, we would like to show custom UI in both the beginDeviceRegistration call as well as the beginUserRegistration call. It works fine in the beginDeviceRegistration call when we use presentRegistrationViewController. When we try to apply the same logic in beginUserRegistration, the ViewController's view.window object is nil and thus using it to house our custom UI doesn't work. I'm not sure if this is an implementation flaw on our part or if presentRegistrationViewController is only intended to be used in beginDeviceRegistration. The call is only mentioned in the context of registering devices, which makes us wonder if it is limited to that. Any help would be appreciated!

I would like to be able to store a secret in the keychain and make it accessible to a process running as root without any prompting of the user. So far I've only got this working if I opt for "Allow all applications to access this item." But if I do that, any process whether root or not has access to the item. On the other hand, if I choose "confirm before allowing access," the user is prompted for a root password. Unfortunately, "Always allow access by these applications" isn't an option because I need the secret in the context of an Authorization Plugin and so it's not a "normal" application that I can list. I'm wondering if maybe there's a way to set some sort of ACL from the command line. I've looked at the man page for security and not seen any obvious solution. My goal is to have my Authorization Plugin process "authenticate" itself to an XPC Service using a shared secret that both read from the keychain. If I can't get the keychain to work, I may do the same thing by using a shared secret in a file readable only by root. Any suggestions welcome. Thanks, Francis

We are building an Authorization Plugin with a custom GUI where we prompt the user for additional information after they have entered their username/password. Right now, we are doing this using an NSWindowController and an NSWindow. The problem is that the login "spinner" shows up in front of the window as seen here: Is there a way to avoid this? Or do we have to subclass SFAuthorizationPluginView to get this to work? Thanks!

We are writing an Authorization Plugin to add an additional factor to macOS desktop login. We're experiencing an issue when we run our code using the UTM VM. The plugin calls context.setResult(.allow) and de-initializes the mechanism (as indicated by log statements), but the login itself never succeeds. The desktop hangs showing a progress spinner and the user icon, but never transitions to the desktop. This problem doesn't happen consistently using UTM nor have we seen it using bare metal, but it's concerning all the same. If anyone has experienced this and has any insight into this, I'd be very grateful. Thanks, Francis

We are working on developing an Authorization Plugin and I'm wondering if there is any way to automate the testing of the macOS login flow. In other words, something like Selenium for the login flow. I'm fairly certain the answer is "no" and that we need to any automated testing using a testing harness that runs our Auth Plugin. I'm basically doing due diligence on this now, so if anyone (especially from Apple) to weigh in, I'd be very grateful. Thanks, Francis

I'm working on building an Authorization Plugin and when I try to link to cod from a Pod, the plugin crashes on invocation. For example, I tried linking to the SQLite library, GRBD. The error in the console logging is as follows: SecurityAgentHelper-arm64: (CoreFoundation) Error loading /Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/TestAuthPlugin: dlopen(/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/TestAuthPlugin, 0x0106): Library not loaded: '@rpath/GRDB.framework/Versions/A/GRDB' Referenced from: '/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/TestAuthPlugin' Reason: tried: '/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/Frameworks/GRDB.framework/Versions/A/GRDB' (no such file), '/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/../Frameworks/GRDB.framework/Versions/A/GRDB' (no such file), '/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/Frameworks/GRDB.framework/Versions/A/GRDB' (no such file), '/Library/Security/SecurityAgentPlugins/TestAuthPlugin.bundle/Contents/MacOS/../Frameworks/GRDB.framework/Versions/A/GRDB' (no such file), '/System/Library/Frameworks/GRD<…> Indeed, if I look in the .bundle, I don't see GRDB anywhere. I'm including the Pods .framework file using "Embed without signing." Note that I can get this to work if I include GRDB using Swift Package Manager. For our project it may be fine to use SPM, but I'm interested in knowing if pods are an option at all. Thanks, Francis