disconnect / lock / sleep behaviour and wifi resume

[pauldekkers]

We have some reports from users roaming through their institution where eduroam does not stay connected when the screen is locked, and doesn't resume immediately when unlocked. (They have to tap eduroam in the WiFi menu to connect.)

The reports are for iPhone 12 mini and iPhone 13 on both iOS 17.2.1 as well as 17.3

It could be location specific. We still have options to try (like EAP-TLS via .mobileconfig instead, and username/password via geteduroam).

Another report asked about the lock requirement, as screen lock was apparently disabled but the device still prompted for the faceID/PIN.

Are there settings relevant to this issue in the API during configuration of the network? (Or is it that certificates are locked for use during screen lock, and maybe requiring screen lock?)

[pauldekkers]

I performed some more tests using a phone without FaceID enabled but with PIN. I configured the phone for eduroam, walked outside for a bit (out of range), to see if I got connected when I returned while the phone was still locked:

• When configuring EAP-TLS via geteduroam, it appears I don't get connected: only when I unlock the screen;
• When I configure a username/password via geteduroam, I get connected while the phone is still locked;
• When I configure EAP-TLS via a .mobileconfig, the phone connects to eduroam while still locked!

Is there a keychain specific setting that determines TLS-certificates are protected by phone-lock (that we could maybe toggle)? It's desirable to have the phone connect also in scenario 1.

I was unable to confirm the need to tap the network; that just must have been slow to connect when that happened. And I was also unable to confirm the last report about the lock requirement: no problems setting the code to 1 minute or so.

[johankool]

The current version of the app doesn't set a kSecAttrAccessible value when adding certificates to the keychain. That seems to match with your findings. It seems that we should set kSecAttrAccessibleAfterFirstUnlock. Or perhaps kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly? Apple seems to discourage using the kSecAttrAccessibleAlways variants.

More info also here.

/**
    @enum kSecAttrAccessible Value Constants
    @discussion Predefined item attribute constants used to get or set values
        in a dictionary. The kSecAttrAccessible constant is the key and its
        value is one of the constants defined here.
        When asking SecItemCopyMatching to return the item's data, the error
        errSecInteractionNotAllowed will be returned if the item's data is not
        available until a device unlock occurs.
    @constant kSecAttrAccessibleWhenUnlocked Item data can only be accessed
        while the device is unlocked. This is recommended for items that only
        need be accesible while the application is in the foreground.  Items
        with this attribute will migrate to a new device when using encrypted
        backups.
    @constant kSecAttrAccessibleAfterFirstUnlock Item data can only be
        accessed once the device has been unlocked after a restart.  This is
        recommended for items that need to be accesible by background
        applications. Items with this attribute will migrate to a new device
        when using encrypted backups.
    @constant kSecAttrAccessibleAlways Item data can always be accessed
        regardless of the lock state of the device.  This is not recommended
        for anything except system use. Items with this attribute will migrate
        to a new device when using encrypted backups.
    @constant kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly Item data can
        only be accessed while the device is unlocked. This is recommended for
        items that only need to be accessible while the application is in the
        foreground and requires a passcode to be set on the device. Items with
        this attribute will never migrate to a new device, so after a backup
        is restored to a new device, these items will be missing. This
        attribute will not be available on devices without a passcode. Disabling
        the device passcode will cause all previously protected items to
        be deleted.
    @constant kSecAttrAccessibleWhenUnlockedThisDeviceOnly Item data can only
        be accessed while the device is unlocked. This is recommended for items
        that only need be accesible while the application is in the foreground.
        Items with this attribute will never migrate to a new device, so after
        a backup is restored to a new device, these items will be missing.
    @constant kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly Item data can
        only be accessed once the device has been unlocked after a restart.
        This is recommended for items that need to be accessible by background
        applications. Items with this attribute will never migrate to a new
        device, so after a backup is restored to a new device these items will
        be missing.
    @constant kSecAttrAccessibleAlwaysThisDeviceOnly Item data can always
        be accessed regardless of the lock state of the device.  This option
        is not recommended for anything except system use. Items with this
        attribute will never migrate to a new device, so after a backup is
        restored to a new device, these items will be missing.
*/
@available(iOS 4.0, *)
public let kSecAttrAccessibleWhenUnlocked: CFString

@available(iOS 4.0, *)
public let kSecAttrAccessibleAfterFirstUnlock: CFString

@available(iOS, introduced: 4.0, deprecated: 12.0, message: "Use an accessibility level that provides some user protection, such as kSecAttrAccessibleAfterFirstUnlock")
public let kSecAttrAccessibleAlways: CFString

@available(iOS 8.0, *)
public let kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly: CFString

@available(iOS 4.0, *)
public let kSecAttrAccessibleWhenUnlockedThisDeviceOnly: CFString

@available(iOS 4.0, *)
public let kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly: CFString

@available(iOS, introduced: 4.0, deprecated: 12.0, message: "Use an accessibility level that provides some user protection, such as kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly")
public let kSecAttrAccessibleAlwaysThisDeviceOnly: CFString

[pauldekkers]

To me, kSecAttrAccessibleAfterFirstUnlock makes sense, but there may even be a case for kSecAttrAccessibleAlways as it's OK if the system gets on to eduroam, in particular if a device is stolen and you want to have a WiFi connection to remote wipe a device...?

[johankool]

To be clear: this does mean that the user will need to go through the setup again. Just updating the app isn't enough.