Our Goal: We are implementing a workflow for derived credentials. Our objective is to have a PIV/CAC derived credential (from Entrust), installed via the Intune MDM Company Portal app, and then use it within our (managed) app to generate digital signatures.
Challenge: The Intune Company Portal installs these identities into the System Keychain. Because third-party apps are restricted from accessing private keys in the System Keychain, we are running into a roadblock.
Our Question: 1) Is there an API that allows us to create a signature without us having to pass the private key itself, but instead just pass a handle/some reference to the private key and then the API can access the private key in the system keychain and create the signature under the hood. SecKeyCreateSignature is the API method that creates a signature but requires passing a private key. 2) If #1 is not feasible, is there a way to get access to system keychain to retrieve certs + private key for managed apps
Thanks for bringing this to the Apple Developer Forums.
First up, I want to double check that this is for iOS. You mentioned the “System Keychain”, which is a macOS thing [1]. On iOS there is only one keychain, known as the data protection keychain. Within that keychain, credentials exist within a keychain access group. Your app’s access to keychain access groups is moderated by entitlements, as explained in Sharing access to keychain items among a collection of apps.
Note For a lot more background on keychain APIs, see:
Next, let’s look at your specific questions:
1- Is there an API that allows us to create a signature without us having to pass the private key itself
No.
iOS does have the ability to work with keys where the key material isn’t directly accessible to your app. We use this, for example, to allow keys to be protected by the Secure Enclave and to support keys stored on a hardware token [2]. However, these mechanisms require you to start with a SecKey, which you get from the keychain.
2- … is there a way to get access to system keychain to retrieve certs + private key for managed apps
No. If you use the traditional MDM mechanism to install credentials on iOS, those go into an Apple keychain access group that’s not accessible to third-party apps. This is documented in QA1745 Making Certificates and Keys Available To Your App.
However, we’ve recently rolled out an alternative path for this. An MDM system can now provisioning credentials directly to your app, which you then pick up using the ManagedApp framework. It’s frikkin’ awesome (-:
We gave a really good talk about this at last year’s WWDC: WWDC 2025 Session 203 Get to know the ManagedApp Framework.
IMPORTANT This is not an iOS 26 feature; it works on later releases of iOS 18 as well.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] See TN3137 On Mac keychain APIs and implementations.
[2] Like a smart card. iOS apps can use token-based keys (subject to user approval). It’s also possible to use CryptoTokenKit to create a virtual token, one that’s not actually backed by hardware. If the ultimate source of truth here is some sort of HSM, you could reasonably create an app that vends a virtual token to interface with that over the network. Lemme know if you want to explore that idea.