June 09, 2020

Managing Identity Preferences to Streamline Single Sign-On for macOS Revisited

This blog post delves into Identity Preferences which is a built-in payload for macOS user profiles since Workspace ONE UEM 2005. The Identity Preference payload helps you to manage user certificates on macOS 10.12 and later. Learn how to configure Identity Preferences for the following browsers: Safari, Google Chrome, Firefox, and Microsoft Edge.

I previously wrote about managing identity preferences to streamline single sign-on in macOS. At the time, VMware Workspace ONE UEM did not natively support the identity preference payload for credentials. The lack of native support forced admins to do some careful crafting with a custom settings payload to facilitate easier SSO for their end-users. Now with Workspace ONE UEM version 2005, Identity Preferences (and Certificate Preferences) are a built-in payload for macOS user profiles that can help you manage user certificates on macOS version 10.12 and later.

What are Identity Preferences?

A slight oversight on my part as the previous blog didn't cover this! Identity Preferences (and their close cousin, Certificate Preferences) are a feature of the macOS keychain where a user can choose a specific certificate as their identity for a URL. This convenient feature eliminates Safari's pop-up certificate selection when authenticating to a website. Think of it as the certificate equivalent of "autofill." Without identity (or certificate) preferences managed via UEM, users must manually create an identity preference via the Keychain Access app or the security command in Terminal. Additionally, the certificate details (subject alternative name or common name) might not readily provide an end-user enough information to choose the correct authentication certificate for a site if they have multiple certificates installed.

Prerequisites

Similar to the previous blog post, a few prerequisites are required to make this work:

  • An admin has a certificate authority and template configured for Workspace ONE UEM (or an SCEP endpoint whereby a user can request a certificate).
  • VMware Workspace ONE Access (formerly VMware Identity Manager) authentication method "Certificate (Cloud)" configured to trust certificates issued by the CA's root certificate authority.
  • Workspace ONE UEM version 2005 and later (specific to the new Identity Preference payload keys).

Streamlining SSO for macOS

Expand the drop-down menus to view details for each step.

Note: There may be unexpected behavior if testing in a Private/Incognito Browser window

Configure an Identity Preference for Safari

Identity Preferences (and Certificate Preferences) apply to Safari and Webkit-based applications on macOS. To configure the identity preference in Workspace ONE UEM, perform the following:

  1. In the Workspace ONE UEM console, click Add > Profile > macOS > User Profile.
  2. Enter a Name for the profile (such as Safari Identity Preference) and choose an assignment group consisting of your testing/validation devices.
  3. Select the Credentials payload and click Configure.
  4. Select the Defined Certificate Authority as the credential source and choose the appropriate Certificate Authority and Request Template.
  5. Select the check box to allow access to all applications.
  6. Enter a URL in the Identity Preference section (and optionally click Add to add up to 14 more preference URLs).
  7. Click Save and Publish, then click Publish.

As mentioned previously, Workspace ONE UEM supports identity preferences for a Defined CA in either a Credentials or a SCEP payload. Additionally, if you are uploading a credential in a Credential payload, admins can configure a Certificate Preference, which creates similar behavior on the end-user's device.

Configure an Identity Preference for Google Chrome

Google Chrome doesn't leverage the built-in macOS Identity Preference and therefore requires a Custom Settings payload to configure. In the Custom Settings payload, the AutoSelectCertificateforUrls key allows administrators to map specific certificate identities to URL patterns. Some useful examples of Custom Settings (such as this one) are available on the EUC-Samples GitHub Repository.

<dict>

    <key>AutoSelectCertificateForUrls</key>

    <array>

<string>{"pattern":"https://cas.vidmpreview.com","filter":{"ISSUER":{"CN":”TMApple"}}}</string>

    </array>

    <key>PayloadEnabled</key>

    <true/>

    <key>PayloadDisplayName</key>

    <string>Google Chrome Settings</string>

    <key>PayloadIdentifier</key>

    <string>com.google.Chrome.4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>

    <key>PayloadType</key>

    <string>com.google.Chrome</string>

    <key>PayloadUUID</key>

    <string>4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

</dict>

Note that you must modify the example Custom Settings XML to facilitate the identity preference functionality. In the example, the URL (i.e., the “pattern”) and the certificate issuer’s common name must be changed. If additional URL mappings are required, simply duplicate and edit the string line within the <array></array> keys:  

<string>{"pattern":"https://your.additional.url.com","filter":{"ISSUER":{"CN":”TMApple"}}}</string>

Configure an Identity Preference for Firefox

Similar to Google Chrome, Firefox does not leverage the built-in macOS Identity Preferences. However, as of Firefox 75 in the Rapid Release channel, admins can provide users a potentially easier SSO experience. In the Firefox Policy Templates, a new preference key (security.osclientcerts.autoload) instructs Firefox to discover and load certificates from the user’s keychain. If you combine this with the security.default_personal_cert key set to Select Automatically, Firefox attempts to find a certificate to use for authentication which could potentially eliminate the disruptive cert-picker dialogue. One thing to note, in some high security environments, the security.default_personal_cert should be force configured to Ask Every Time rather than automatic. The following is an example Custom Settings payload which can be pasted into Workspace ONE UEM to control the behavior on enrolled macOS devices:

<dict>

        <key>PayloadDisplayName</key>

        <string>Firefox ESR Policies</string>

        <key>PayloadEnabled</key>

        <true />

        <key>PayloadIdentifier</key>

        <string>org.mozilla.firefox.BCADDC78-843E-4112-936A-DAB8EEEF514C</string>

        <key>PayloadType</key>

        <string>org.mozilla.firefox</string>

        <key>PayloadUUID</key>

        <string>BCADDC78-843E-4112-936A-DAB8EEEF514C</string>

        <key>PayloadVersion</key>

        <integer>1</integer>

        <key>EnterprisePoliciesEnabled</key>

        <true />     

        <key>Preferences</key>

        <dict>

          <key>security.default_personal_cert</key>

          <string>Select Automatically</string>

          <key>security.osclientcerts.autoload</key>

          <true/>

        </dict>

If you look at this functionality compared to Identity Preferences, you'll notice that with Firefox, you are relying on the browser (or the user) to make their best guess as to the appropriate certificate. The reliance on the browser or user to choose could be problematic if the user has more than a single certificate from the same root certificate authority. There is currently no method of mapping a specific certificate in the user's Keychain to one URL.

Configure an Identity Preference for Microsoft Edge

Microsoft Edge is another browser that doesn't leverage the built-in macOS Identity Preference and therefore requires a Custom Settings payload to configure. In the Custom Settings payload, the AutoSelectCertificateforUrls key allows administrators to map specific certificate identities to URL patterns. Some useful examples of Custom Settings (such as this one) are available on the EUC-Samples GitHub Repository.

<dict>

    <key>AutoSelectCertificateForUrls</key>

    <array>

<string>{"pattern":"https://cas.vidmpreview.com","filter":{"ISSUER":{"CN":”TMApple"}}}</string>

    </array>

    <key>PayloadEnabled</key>

    <true/>

    <key>PayloadDisplayName</key>

    <string>Microsoft Edge Settings</string>

    <key>PayloadIdentifier</key>

    <string>com.microsoft.Edge.A9DA433B-BDDA-4205-9147-5A6FC149B54E</string>

    <key>PayloadType</key>

    <string>com.microsoft.Edge</string>

    <key>PayloadUUID</key>

    <string>A9DA433B-BDDA-4205-9147-5A6FC149B54E</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

</dict>

Note that you must modify the example Custom Settings XML to facilitate the identity preference functionality. In the example, the URL (i.e., the “pattern”) and the certificate issuer’s common name must be changed. If additional URL mappings are required, simply duplicate and edit the string line within the <array></array> keys:  

<string>{"pattern":"https://your.additional.url.com","filter":{"ISSUER":{"CN":”TMApple"}}}</string>

 

Troubleshooting Identity Preferences

If the identity preferences are not working, the issue might require troubleshooting from the affected device. Admins can troubleshoot the functionality using the following steps:

  1. Check for a mistyped URL in the identity preference payload (autocorrect fail, anyone?).
  2. Validate that the URL is the actual certificate authentication endpoint. The certificate authentication endpoint URL may not be the same as the Username/Password URL.
  3. Ensure that the certificate is present on the user's device and in the correct Keychain (the login keychain, and NOT the system keychain).
  4. Validate that the behavior works correctly if manually creating the identity preference in Keychain Access.app.
  5. Check Console.app for logging related to Keychain or Security.

Conclusion

As always, I hope this information helps you along the path to building a great end-user experience. Feel free to bring discussions about macOS management to the Workspace ONE community on VMware Technology Network. We also welcome community contributions to the EUC-Samples Github repository. (Send us a pull request and be sure to sign that CLA)! 

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Intermediate macOS Manage