macOS 10.12 Bug regarding CBA and MDM (For ADAL 4.0.0 onwards)
Starting from ADAL 4.0.0, we are moving ADAL to WKWebView as Apple has now officially deprecated UIWebView on iOS and WebView on macOS.
There are some known issues with macOS 10.12 (Sierra) regarding keychain access prompt, which may cause the auth flow to fail. Following are affected flows with suggested workarounds.
For Certificate Based Authentication (CBA) flow, once user chooses the certificate from cert picker, macOS system will pop up the following keychain access prompt:
It is a known system bug that "Always Allow" will lead to authentication failure, with either a connection lost error(-1005) or SSL error(-1200) in NSURLErrorDomain.
Workaround 1: user clicks "Allow" instead of "Always Allow"
Workaround 2: user manually adds the following process to certificate's ACL.
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc
For MDM users, the following keychain access prompt may be shown by system during authentication process:
Similar to the CBA issue, "Always Allow" will lead to authentication failure, while "Allow" works as expected.
Workaround 1: user clicks "Allow" instead of "Always Allow"
Workaround 2: developer sets the app to allow arbitrary loads in Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<!-- could also be Allow Arbitrary Loads in Web Content -->
<true/>
</dict>
<key>UIRequiredDeviceCapabilities</key>
Note that the macOS system bugs on this page are only for macOS 10.12 (Sierra). We have found no issue for the rest of the macOS versions supported: macOS 10.11 (El Capitan), macOS 10.13 (High Sierra), macOS 10.14 (Mojave)