Keychain/secd not respecting app access whitelist

Originator:keagysan
Number:rdar://36967962 Date Originated:29/01/2018
Status:Open Resolved:No
Product:macOS Product Version:10.13.3
Classification: Reproducible:Yes
 
Summary:
Set app whitelist for all MS Office 2016 apps in Keychain Access for my client certificate, but none of the MS Office apps seem to be able to access the certificate or private key.
Certificate/Key combination works fine via Safari, allowing me to access Office 365 via the web interface.
Was working fine in Sierra, failed immediately after upgrading to High Sierra. Certificate/key have been tested on a windows 7 laptop, and a windows 7 virtual machine, and function as expected.
Logs indicate secd is disallowing the MS apps access to the keychain, stating:

default	10:04:48.077069 +1100	secd	Microsoft Outloo[7730]/1#14 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements}

Steps to Reproduce:
Opening any Office software (tested with Outlook, PowerPoint, Excel, Word from the installer I was provided, as well as the latest Teams from their website, and OneDrive from both Microsoft installer, and via the Mac App Store), and attempting to sign in with my account credentials causes it to try and present a login window for my Enterprise Office 365 account (Microsoft calls this 'Modern Authentication'). 

Expected Results:
Once the certificate is recognised, a 2-factor authentication process should start (as part of my company's authentication process for cloud services), which if completed successfully, should authenticate me to my Office 365 account for that app.

Actual Results:
After the handoff from Microsoft's login page to my enterprise one, accessing the cert/key in keychain fails, which then presents me a failure window from my enterprise.

Version/Build:
macOS High Sierra 10.13.3
Has been an issue since 10.13.0 and persisted through all updates.

Configuration:
Has been managed via MDM (though it seems the same cert problem is causing Airwatch MDM to crash regularly). Have tested without MDM and manually installing the certificate, which allows Safari to use the cert/key for authentication, but the Office apps still don't work.

Comments

Pertinent Logs

Attached full Console.app output into Apple Bug Reporter. Relevant lines here to help other users.

default 10:04:48.078903 +1100 securityd MacOS error: -67050 default 10:04:48.079040 +1100 secd Microsoft Outloo[7730]/1#14 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements} default 10:04:48.080256 +1100 secd Microsoft Outloo[7730]/1#14 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements} default 10:04:48.081969 +1100 securityd code requirement check failed (-67050), client is not Apple-signed


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!