Passkey Attestation declarative configuration for Apple devices
Use the Passkey Attestation configuration to verify that a passkey was created on a managed device. The passkey attestation is in the form of a certificate used during provisioning.
The Passkey Attestation configuration supports the following:
Minimum supported operating system versions and channels: iOS 17, iPadOS 17, macOS 14 device, macOS 14 user.
Requires supervision: No.
Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Attestation identity asset | Specifies a certificate identity provided using ACME, SCEP, or PKCS #12 container to be used for attestation. | Yes | |||||||||
Attestation private key is extractable | Defines whether the private key of attestation identity is extractable on macOS. | No | |||||||||
Relying party | Only domains specified within the configuration can request attestation using the identity when creating a passkey. | Yes | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various Passkey Attestation settings are applied to your devices and users, consult your MDM vendor’s documentation.