Open paul-turner opened 2 weeks ago
@paul-turner I am looking into this
Thanks @kanishkaBagga some additional information on the issues we are seeing:
MAM611 Config file not found: Config.plist
MAM611 Is first launch
MAM611 Config file not found: NBUConfig.plist
CMARKeychainUtils: Keychain utils was accessed before app was fully initialized
Let me know if there's additional information that would help.
@paul-turner - I need a few details to further investigate - 1) Can you share the API that you are using to access the keychain? 2) Can you share the MAM logs as mentioned here - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app 3) Based on your email - how did you establish that this app prompts users to sign-in (closing/re-opening the app resolves the issue without requiring the user to actually sign in). is related to OSStatus -25308
@kanishkaBagga Is there an email we can share the MAM logs to instead of sharing here? RE: 3 -- We've determined these are related because the inability to access our stored data in the keychain prevents us from resuming properly in a signed in state (note this is separate from intune registration etc, our own app state). And once the app is reopened we no longer see the errors in both the mam logs and our own logs. And that the issue does not occur in non-intune sdk integrated builds.
@kanishkaBagga I've emailed the logs to wangxiao@microsoft.com @wangxiaoms since I saw their email in previous issues, let me know what email to send it to you.
As for our usage, we are calling SecItemCopyMatching
.
Also worth noting that we recently switched from the default value of MaxFileProtectionLevel
(which was NSFileProtectionComplete
since we had no value set) to NSFileProtectionCompleteUntilFirstUserAuthentication
in case that affects any keychain items.
@paul-turner - I have received the logs.I am looking into it.
@paul-turner could you please check whether the issue is triggered by either of the following scenarios: 1.) When the device is locked 2.) When the device is booted up for the first time and NOT yet unlocked. I think this may be caused by an incorrect value being set for the kSecAttrAccessible attribute key on the keychain item their app is attempting to access: https://developer.apple.com/documentation/security/item-attribute-keys-and-values#Accessibility-Values
Hey @kanishkaBagga! I work with @paul-turner!
We think the issue is triggered when the device is locked.
This may be related. A few months ago we were navigating many EXC_BAD_ACCESS
errors that we traced back to being related to MaxFileProtectionLevel
. Our value being unset means it defaulted to NSFileProtectionComplete
, which we in our testing was the cause of the crashes. We changed that to NSFileProtectionCompleteUntilFirstUserAuthentication
as the documentation suggested as we present lock screen UI elements (widgets).
In working with our partners, we heard apparently we need to set MaxFileProtectionLevel
to NSFileProtectionComplete
to access keychain items in the background task. Is there any documentation around this?
Describe the bug: We're seeing errors when accessing a keychain item from within a background task, which carries over to the next foreground launch. The error code given is
OSStatus -25308
which we've mapped to https://developer.apple.com/documentation/security/errsecinteractionnotallowedTo Reproduce We haven't been able to reproduce it internally, but have had multiple customer reports of the issue.
Smartphone (please complete the following information):
Intune App SDK for iOS: On the latesst intune SDK version
20.1.2
, native app, we don't see the error happen on our app builds that don't have the intune SDK integrated. No other trends identfied yet.One additional question I have is if you could expand a bit more on what the
FinishLaunchingAtStartup
setting changes for the app?