We had to use sudo to be able to store the corresponding certificate and its keys in the system keychain for MDM access. Since the certificate is for the device, login keychain was not suitable. I guess this is using legacy keychain. The code works if I use kSecUseDataProtectionKeychain as true in the attributes parameter which is using modern iOS style keychain. I wish the error is message from the API is clear whats not supported / incorrect. I have attached sysdiagnose to the FB15634465.

The code is running as a CLI binary with sudo to add the keys and its certificate to the system keychain. I have filed FB15634465 for this issue.

Same result on : % sw_vers ProductName: macOS ProductVersion: 15.1 BuildVersion: 24B83

Hello Quinn (from Apple DTS), if you are reading this please help with in resolving this crash in authorizationhosthelper.arm64 in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44 . We are already following the CryptoTokenKit best practices as per https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token#2937138 to launch the extension.

Edit: certificate is nil above i.e let tokenKey = TKTokenKeychainKey(certificate: nil, objectID: tag). I manually set all other properties as per the headerdocs. More debug info : % pluginkit -m -p com.apple.ctk-tokens    com.apple.CryptoTokenKit.pivtoken(1.0)    com.foo.mac-device-check.SecureEnclaveTokenExtension(1.0)  % sudo security smartcards token -e com.foo.mac-device-check.SecureEnclaveTokenExtension Token is already enabled. Still no luck with pkcs11_register_provider: /usr/lib/ssh-keychain.dylib.