macOS 10.12 Bug regarding CBA and MDM (For ADAL 4.0.0 onwards)
Starting from ADAL 4.0.0, we are moving ADAL to WKWebView as Apple has now officially deprecated UIWebView.
However, there are some known bugs of macOS 10.12 (Sierra) regarding keychain access prompt, which may cause the auth flow to fail. Following is the affected flows with some workarounds.
For Certificate Based Authentication (CBA) flow, once user chooses the certificate from cert picker, macOS system will pop up the following keychain access prompt:
It is a known system bug that "Always Allow" will lead to authentication failure, while "Allow" works as expected.
Workaround 1: user clicks "Allow" rather than "Always Allow"
Workaround 2: user manually add the following process to certificate's ACL.
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc
For MDM users, the following keychain access prompt may be shown by system during authentication process:
Similar to the CBA issue, "Always Allow" will lead to authentication failure, while "Allow" works as expected.
Workaround 1: user clicks "Allow" rather than "Always Allow"
Workaround 2: developer set the app to allow arbitrary loads in Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<!-- could also be Allow Arbitrary Loads in Web Content -->
<true/>
</dict>
<key>UIRequiredDeviceCapabilities</key>
Note that the macOS system bugs on this page are only for macOS 10.12 (Sierra). We have found no issue for the rest of the macOS version supported: macOS 10.11 (El Capitan), macOS 10.13 (High Sierra), macOS 10.14 (Mojave)