top of page

MDM and Secret Chest

Updated: Jan 22

Mobile Device Management, or MDM for short, how most Apple devices are managed en masse. MDM technologies were introduce in the earliest versions of iOS and drifted into the Mac ecosystem, in many cases to replace old scripted Unix-style management from the days of yore. Why not supplement one might ask - to which the answer would be that various scripting techniques have been abused by bad actors and so we just… can’t have nice things any longer. Or at least those nice things. We can have security and privacy. And those are nice thing trade-offs.

Extensions management is not an aspect of device management that has been fully worked out. MDM has the ability to configure features of autofill, but not to enable it. That still needs to be done manually. Based on the Apple developer documentation for MDM, it’s been possible to force password auto-fill to prompt for a password for each use via MDM since iOS 12. It’s also possible to disable password sharing via MDM, which doesn’t apply to sharing Secret Chest objects, just those from Keychain.

Secret Chest also uses bluetooth. When we attempt to communicate between devices we will first try to do so via bluetooth, then through Wi-Fi, and if neither are available we will send a push notification for a user to open the Secret Chest app on a device. Therefore, various options in MDM that alter the behavior of bluetooth could also impeed the ability for Secret Chest to communicate as intended - as could various proxy settings. Those can be quite varied, so network connectivity is beyond the scope of this article.

Secret Chest also has some features that can be managed via configuration profile. The defaults domain we use is io.secretchest.SecretChest.




Force Touch ID



Enable Apple Watch Extension



Allow Show Password



Log Out On Sleep



Log Out When Closed



Keep in mind that we can ship preferences keys fairly quickly. So if there's something that would help ease the integration in your environment that we haven't though of, please let us know!

Finally, most devices supervised by an MDM will leverage a feature called Managed Open-In. The Managed Open-In feature restricts the ability for software that is installed by an MDM to copy data to software that wasn’t installed by an MDM. Therefore, it’s possible that the fetch password button in a secret will not be able to be install

Another aspect to keep in mind is that other tools, like Chrome Enterprise, can be used to manage various features of those applications. Google Chrome is one example, but there are plenty of others.  Secret Chest can be deployed to devices from a centralized console. As shown in this article, the autofill extension still needs to be enabled manually, but passkey support can be enabled via this centralized mechanism.

12 views0 comments

Recent Posts

See All


bottom of page