Hello all,
We are in the process of deploying EAP-TLS Wi-Fi authentication across our corporate environment for both Windows and macOS devices. All endpoints are managed via Workspace ONE.
As part of our macOS configuration, we are pushing device certificates to the login keychain of managed MacBooks. For testing purposes, we have explicitly set the Access Control List (ACL) of the associated private key to allow all applications access. This includes:
- eapolclient, which handles the EAP-TLS handshake for Wi-Fi
- panGPS, which is responsible for establishing the GlobalProtect VPN connection (we are using certificate-based authentication with pre-logon enabled)
Additionally, we have configured and deployed a Wi-Fi profile via Workspace ONE to prevent users from having to manually select their device certificate - basically the identity preference card in Keychain Access.
Despite these settings, we are still encountering Keychain Access prompts when eapolclient attempts to access the private key. This happens even though the key is configured to allow all applications access. This behavior is unexpected, and we’re trying to understand why these prompts persist.
Has anyone encountered similar behavior on macOS, or is there something we're missing in terms of permissions or keychain configuration that could be causing this? We would greatly appreciate any insight or guidance.
Thank you, Kyo