Closed pauldekkers closed 5 months ago
I performed some more tests using a phone without FaceID enabled but with PIN. I configured the phone for eduroam, walked outside for a bit (out of range), to see if I got connected when I returned while the phone was still locked:
Is there a keychain specific setting that determines TLS-certificates are protected by phone-lock (that we could maybe toggle)? It's desirable to have the phone connect also in scenario 1.
I was unable to confirm the need to tap the network; that just must have been slow to connect when that happened. And I was also unable to confirm the last report about the lock requirement: no problems setting the code to 1 minute or so.
The current version of the app doesn't set a kSecAttrAccessible
value when adding certificates to the keychain. That seems to match with your findings. It seems that we should set kSecAttrAccessibleAfterFirstUnlock
. Or perhaps kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
? Apple seems to discourage using the kSecAttrAccessibleAlways
variants.
More info also here.
/**
@enum kSecAttrAccessible Value Constants
@discussion Predefined item attribute constants used to get or set values
in a dictionary. The kSecAttrAccessible constant is the key and its
value is one of the constants defined here.
When asking SecItemCopyMatching to return the item's data, the error
errSecInteractionNotAllowed will be returned if the item's data is not
available until a device unlock occurs.
@constant kSecAttrAccessibleWhenUnlocked Item data can only be accessed
while the device is unlocked. This is recommended for items that only
need be accesible while the application is in the foreground. Items
with this attribute will migrate to a new device when using encrypted
backups.
@constant kSecAttrAccessibleAfterFirstUnlock Item data can only be
accessed once the device has been unlocked after a restart. This is
recommended for items that need to be accesible by background
applications. Items with this attribute will migrate to a new device
when using encrypted backups.
@constant kSecAttrAccessibleAlways Item data can always be accessed
regardless of the lock state of the device. This is not recommended
for anything except system use. Items with this attribute will migrate
to a new device when using encrypted backups.
@constant kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly Item data can
only be accessed while the device is unlocked. This is recommended for
items that only need to be accessible while the application is in the
foreground and requires a passcode to be set on the device. Items with
this attribute will never migrate to a new device, so after a backup
is restored to a new device, these items will be missing. This
attribute will not be available on devices without a passcode. Disabling
the device passcode will cause all previously protected items to
be deleted.
@constant kSecAttrAccessibleWhenUnlockedThisDeviceOnly Item data can only
be accessed while the device is unlocked. This is recommended for items
that only need be accesible while the application is in the foreground.
Items with this attribute will never migrate to a new device, so after
a backup is restored to a new device, these items will be missing.
@constant kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly Item data can
only be accessed once the device has been unlocked after a restart.
This is recommended for items that need to be accessible by background
applications. Items with this attribute will never migrate to a new
device, so after a backup is restored to a new device these items will
be missing.
@constant kSecAttrAccessibleAlwaysThisDeviceOnly Item data can always
be accessed regardless of the lock state of the device. This option
is not recommended for anything except system use. Items with this
attribute will never migrate to a new device, so after a backup is
restored to a new device, these items will be missing.
*/
@available(iOS 4.0, *)
public let kSecAttrAccessibleWhenUnlocked: CFString
@available(iOS 4.0, *)
public let kSecAttrAccessibleAfterFirstUnlock: CFString
@available(iOS, introduced: 4.0, deprecated: 12.0, message: "Use an accessibility level that provides some user protection, such as kSecAttrAccessibleAfterFirstUnlock")
public let kSecAttrAccessibleAlways: CFString
@available(iOS 8.0, *)
public let kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly: CFString
@available(iOS 4.0, *)
public let kSecAttrAccessibleWhenUnlockedThisDeviceOnly: CFString
@available(iOS 4.0, *)
public let kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly: CFString
@available(iOS, introduced: 4.0, deprecated: 12.0, message: "Use an accessibility level that provides some user protection, such as kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly")
public let kSecAttrAccessibleAlwaysThisDeviceOnly: CFString
To me, kSecAttrAccessibleAfterFirstUnlock
makes sense, but there may even be a case for kSecAttrAccessibleAlways
as it's OK if the system gets on to eduroam, in particular if a device is stolen and you want to have a WiFi connection to remote wipe a device...?
To be clear: this does mean that the user will need to go through the setup again. Just updating the app isn't enough.
We have some reports from users roaming through their institution where eduroam does not stay connected when the screen is locked, and doesn't resume immediately when unlocked. (They have to tap eduroam in the WiFi menu to connect.)
The reports are for iPhone 12 mini and iPhone 13 on both iOS 17.2.1 as well as 17.3
It could be location specific. We still have options to try (like EAP-TLS via .mobileconfig instead, and username/password via geteduroam).
Another report asked about the lock requirement, as screen lock was apparently disabled but the device still prompted for the faceID/PIN.
Are there settings relevant to this issue in the API during configuration of the network? (Or is it that certificates are locked for use during screen lock, and maybe requiring screen lock?)