Hey guys, I posted a similar thread in Privacy channel earlier, but their engineer points me to here: https://developer.apple.com/forums/thread/831492
I'm building a managed macOS app (credential-provider extension) that needs an MDM-provisioned, hardware-bound, attested identity via the ManagedApp framework on macOS 27 which just released days ago, and I've hit a documentation contradiction.
By reading through the docs, my understanding of the ManagedApp identity path is com.apple.configuration.app.managed → Identities → com.apple.asset.credential.acme.
But the OS27 ACME schema says, for both HardwareBound and Attest: "On macOS, this is a required key. Set the value to false" (https://github.com/apple/device-management/blob/seed_OS_27_0/declarative/declarations/assets/credentials/acme.yaml#L66) — implying a software key. However, the macOS 27 release notes say ManagedApp deploys "hardware-bound identities" on macOS.
So I am wondering that on macOS 27 + Apple silicon, can a ManagedApp-provisioned ACME identity actually be HardwareBound: true / Attest: true? If yes, is the acme.yaml "set to false on macOS" text just stale? If no, how is the documented "hardware-bound identities" capability delivered? And would that identity gonna be able to be used by the app / app extension? Thanks!
I'm building a managed macOS app (credential-provider extension) that needs an MDM-provisioned, hardware-bound, attested identity via the ManagedApp framework on macOS 27
Fantastic! ManagedApp framework has a lot of uses, and my favorite is exactly how you intend to use it.
The documentation about the HardwareBound key is incorrect. It should say the following, and I'm working on getting the documentation corrected.
Setting this key to
trueis supported on Apple silicon and Intel devices that have a T2 chip. For other Mac devices this key must have a value offalse.
Bob Whiteman - Device management engineer