Enterprise Install for a TLS Inspection proxy

Thanks for the question, a little confused on what is the main goal. I think clarification on your goals will help developers jump into this thread and provide you their ideas?

I presume you are targeting macOS? macOS has inherent security. Is the objective of silently trusting a locally generated root certificate without user interaction is explicitly prohibited by the security model by design?

In my opinion, an MDM Configuration Profile is the sole method to silently establish root certificate trust on macOS. Since MDM profiles needs the base64-encoded certificate at the time of profile creation, you cannot natively use an MDM to trust the certificate generated by this specific endpoint.

You are correct that if the Root CA is compromised, the attacker can intercept traffic at any point.

My question to you is what is the intended outcome of your solution? There are numerous alternative approaches to achieve your desired outcome without configuring devices with security vulnerabilities.

There is no concealed macOS or MDM mechanism that dynamically trusts locally generated root certificates based on non-unique criteria.

I’m sure if you proposed an idea many developer can provide you ideas how to get that working on a macOS app.

Albert Pascual
  Worldwide Developer Relations.

Thanks for the quick response. The bigger picture is we provide a lightweight forwarder that runs on every endpoint to collect information on user activity (anonymized to protect user privacy) which it then sends to a cloud based analytics service.

The problem is how to simplify deploying the macOS forwarder to thousands of endpoints in an MDM managed enterprise. Expecting every endpoint user to authenticate as an administrator is not a great user experience.

Having our analytics server get the needed configuration profile from each endpoint and somehow forward it to the MDM to download is a difficult problem so I'm looking for any creative suggestions.

@Peter_Si

This reply is to me a private issue:

The bigger picture is we provide a lightweight forwarder that runs on every endpoint to collect information on user activity

User activity in the mac? This goes against the privacy policies I think. https://www.apple.com/legal/privacy/en-ww/

Albert Pascual
  Worldwide Developer Relations.

This is of course for enterprise or government customers who need some ability to audit how their systems are being used while at the same time protecting user privacy by anonymizing user data unless there is evidence of anomalous high risk activity.

I understand there may not be an easy solution for Macs.

Wish you luck @Peter_Si

Albert Pascual
  Worldwide Developer Relations.

I don’t think there’s anything fundamental blocking an MDM system from doing what you want it to do. When the Mac checks in with MDM, the MDM system knows the identity of that Mac and can send it a configuration profile with a unique com.apple.security.root payload [1].

But there are some obvious challenges:

• Getting an MDM system that actually supports this.
• Securely passing the certificate from the Mac to the MDM system [2].

It’s hard to offer advice on that front because this isn’t a standard MDM feature, and thus the answer is going to depend on the MDM server you’re using.

The one thing I can rule out is a client-side solution. There’s no longer any supported way for code running on the Mac to install a trusted root without user approval.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or do the same thing with declarative device management, which is the new hotness.

[2] Certificates are just fancy public keys, and thus don’t need to be kept private. However, you need to make sure that a malicious actor doesn’t impersonate a client.