Hey guys, I'm building a managed macOS app (credential-provider extension) that needs an MDM-provisioned, hardware-bound, attested identity via the ManagedApp framework on macOS 27 which just released days ago, and I've hit a documentation contradiction.
By reading through the docs, my understanding of the ManagedApp identity path is com.apple.configuration.app.managed → Identities → com.apple.asset.credential.acme.
But the OS27 ACME schema says, for both HardwareBound and Attest: "On macOS, this is a required key. Set the value to false" (https://github.com/apple/device-management/blob/seed_OS_27_0/declarative/declarations/assets/credentials/acme.yaml#L66) — implying a software key. However, the macOS 27 release notes say ManagedApp deploys "hardware-bound identities" on macOS.
So I am wondering that on macOS 27 + Apple silicon, can a ManagedApp-provisioned ACME identity actually be HardwareBound: true / Attest: true? If yes, is the acme.yaml "set to false on macOS" text just stale? If no, how is the documented "hardware-bound identities" capability delivered? And would that identity gonna be able to be used by the app / app extension? Thanks!
My favorite use case for ManagedApp framework is provisioning hardware-bound keys for managed apps and extensions. Rest assured, this works on macOS. Thank you for pointing out the contradiction in the documentation.
The documentation about the HardwareBound key is incorrect. It should say the following, and I'm working on getting the documentation corrected.
Setting this key to
trueis supported on Apple silicon and Intel devices that have a T2 chip. For other Mac devices this key must have a value offalse.
Bob Whiteman - Device management engineer