Share via

Can an Intune MAM-enrolled iOS app access MDM-deployed PKCS certificates for mTLS client authentication?

Caroline 0 Reputation points
2026-03-04T19:28:35.3433333+00:00

I'm building an iOS app (Flutter, but using a native URLSession via Swift for all HTTP) that needs to perform mTLS by sending a client certificate with every request to an NGINX server configured to require client certs.

Our customers use Intune to deploy PKCS certificates to managed iPads via a device configuration profile. The certificate deploys successfully and is visible in the device's certificate store, but our app cannot access it from the keychain — SecItemCopyMatching returns -25300 (errSecItemNotFound) even with the com.microsoft.intune keychain access group entitlement added and verified in the binary via codesign.

We understand this is because MDM-deployed certs live in the system keychain, which third-party apps cannot access.

If we integrate the Intune App SDK for iOS and the user enrolls via MAM, will the app gain access to the PKCS certificate for use in a URLSessionDelegate client certificate challenge (NSURLAuthenticationMethodClientCertificate)? Specifically:

Can we retrieve a SecIdentity referencing the MDM-deployed PKCS cert after MAM enrollment?

Or does the SDK automatically intercept URLSession challenges and respond with the cert transparently?

Or is the PKCS cert simply not accessible to apps at all, regardless of MAM enrollment?

If the Intune SDK doesn't solve this, is there any supported mechanism for an Intune-managed app to use an MDM-deployed PKCS certificate for mTLS?

Microsoft Security | Intune | Microsoft Intune iOS
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-04T19:28:58.5033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    PKCS certificates that are deployed to iOS/iPadOS devices by Intune via MDM (device configuration profiles) are not exposed to third‑party apps for direct keychain access, even when those apps are MAM-enrolled and use the Intune App SDK.

    From the provided information:

    • PKCS certificates for authentication are deployed through Intune PKCS certificate profiles that target a specific platform (including iOS) and are tied to an Enterprise CA via the Intune Certificate Connector.
    • These certificates are intended for scenarios like Wi‑Fi, VPN, and other system-level authentication, and are managed by the OS/MDM stack rather than by individual apps.
    • The Intune documentation and the Tunnel for MAM guidance only describe:
      • Deploying trusted root certificates via trusted certificate profiles so that apps (including Tunnel for MAM) can validate server certificates.
      • Using PKCS/SCEP profiles for authentication, but not exposing those private keys to arbitrary app keychain access.

    For MAM Tunnel on iOS specifically:

    • A trusted certificate profile is required only so the app can trust the on‑premises server’s SSL/TLS certificate chain.
    • Tunnel for MAM “uses the public-key certificate payload contained in the Intune trusted certificate profile but doesn't require the profile be assigned to any Microsoft Entra user or device groups” and can use a trusted certificate profile from any platform.
    • There is no indication that Tunnel for MAM or the Intune App SDK exposes MDM‑deployed client certificates (PKCS) to apps or automatically injects client certificates into URLSession mTLS handshakes.

    Nothing in the provided material describes:

    • Any API or SDK behavior that would allow an app to obtain a SecIdentity for an MDM‑deployed PKCS certificate.
    • Any automatic interception of NSURLAuthenticationMethodClientCertificate challenges by the Intune App SDK or Tunnel for MAM to supply a client certificate on behalf of the app.

    Based on the available documentation in the context, the supported Intune pattern for apps that use Tunnel for MAM is:

    • Use a trusted root certificate profile so the app (or Tunnel) can validate the server certificate chain.
    • Use MDM/MAM for device/app trust and conditional access, not for exposing client certificate private keys to third‑party apps.

    Therefore, within the scope of the provided information:

    • MDM‑deployed PKCS certificates are not documented as accessible to apps (no supported way to retrieve a SecIdentity).
    • The Intune App SDK and Tunnel for MAM are documented only as consuming trusted root certificates for server trust, not as brokering client certificates for mTLS.
    • No supported mechanism is described that would allow an Intune‑managed iOS app to use an MDM‑deployed PKCS client certificate for mTLS.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.