Is there a way for MDM to push a unique mTLS certificate w/ our Application?

Question

yingha OP

Created Jun ’24

Replies 2

Boosts 0

Participants 2

Hi,

It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed?

Thanks,

Ying

Answered by Device Management Engineer in 835313022

With the release of the new ManagedApp framework in iOS 18.4, iPadOS 18.4, and visionOS 2.4, there's now a way for an MDM server to provision identities for managed apps and their app extensions. See the ManagedApp Framework documentation.

Boost

Answer 1

Device Management Engineer OP

Apple

Jun ’24

Since you mention mTLS, I think you're referring to an identity (certificate plus matching private key). MDM does not have a way to provide MDM-provisioned identities to managed apps.

There's managed app config for providing arbitrary app-defined configurations to managed apps, however that's not appropriate for sensitive data like private keys. To use that you would need to somehow turn that into a secure communication channel.

how do browser mTLS certs get pushed?

Installing an identity via configuration profile or MDM installs it into a keychain access group which Safari and various system processes can access. Some other browsers have their own mechanisms for obtaining identities.

0

Answer 2

Device Management Engineer OP

Apple

Apr ’25

Recommended

With the release of the new ManagedApp framework in iOS 18.4, iPadOS 18.4, and visionOS 2.4, there's now a way for an MDM server to provision identities for managed apps and their app extensions. See the ManagedApp Framework documentation.

1