Jamf Nation Community

fedagain · ‎01-09-2018

Hello,

We have a particular portion of our states website that is hosted / managed by them, I DON'T know the particulars of the backend, but can supply this info:

1.) The portion of the website that doesn't work (when managed) results in these errors in the console:

a.) com.apple.SecurityServer[93]: Sandbox denied authorizing right 'system.keychain.modify' by client '/System/Library/StagedFrameworks/Safari/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc' [900]

b.) com.apple.SecurityServer[93]: Problem opening rules file "/etc/authorization": No such file or directory

c.) kernel[0]: Sandbox: com.apple.WebKit(900) deny(1) authorization-right-obtain system.keychain.modify

d.) com.apple.WebKit.Networking[900]: CFNetwork SSLHandshake failed (-128)

Disabling SIP has no effect, but removing the jss MDM results in full functionality.

When managed the browser(s) ask for system keychain access, but every credential is declined!

Any ideas of settings in the jss that might change this behavior?

If you need more info, please ask.

bvrooman · ‎01-09-2018

Perhaps the web server is attempting to use the jamf binary's device cert as its SSL certificate?

fedagain · ‎01-09-2018

Okay, if it is, then what do I need to do to test that please?

We are using the built-in cert.. could that be an issue?

bvrooman · ‎01-09-2018

I'm not sure of a way to test it other than to try, and then look at the logs on the web server. Whoever maintains that site would know if there's a portion which requires (or accepts, but doesn't require possibly?) cert authentication, which is where Safari might be getting mixed up. It could also be something else entirely, but the website and its server will need to be more then a black box in order to get any real troubleshooting done.

Jamf Nation Community

Having a sandbox / webkit issue when a machine is managed (MDM active)