Getting TPM error in macos for some users

So basically we have been using pritunl enterprise version from few months never we faced any issue but recently we made some changes in one of server in pritunl so randomly three-four users start facing issue.

what is issue: we are using google as client authentication so expected behaviour is when clicking on connect it should redirect to browser and then connected after google authentication but for few users it seems when they click on connect no browser is opening and directly pritunl-client shows disconnecting error, first we thought there is issue with permissions but it doesnt fix issue, then we uninstall and install client still facing same issue then we entirely reset macos then it got fixed, so for other users we dont want to follow same procedure what can we do if this would be laptop issue then users are suppose to face this from day one when we made changes for authentication but suddenly it started so not sure, Is there any way to remove pritunl-client entirely from macos not only app but everything related to it everyfile and so on just to check if it can solve our issue.

LOGS FROM VPN CLIENT

client_disconnected=false ◆ client_provider=true ◆ client_startime=0 ◆ data_iface="" ◆ data_mode="" ◆ data_remotes=[]string{"43.204.95.54"} ◆ data_status="connecting" ◆ data_timestamp=0 ◆ data_tun_iface="" ◆ ovpn_auth_failed=false ◆ ovpn_cmd=false ◆ ovpn_connected=false ◆ ovpn_dir="" ◆ ovpn_last_auth_failed=-1 ◆ ovpn_management_pass=false ◆ ovpn_management_port=0 ◆ ovpn_path="/Applications/Pritunl.app/Contents/Resources/pritunl-openvpn" ◆ ovpn_remotes=[]string{} ◆ ovpn_running=0 ◆ ovpn_tap_iface="" ◆ profile_device_auth=true ◆ profile_disable_dns=false ◆ profile_disable_gateway=false ◆ profile_dynamic_firewall=false ◆ profile_force_connect=false ◆ profile_force_dns=false ◆ profile_geo_sort=false ◆ profile_id="7602ea2d1b16da0d" ◆ profile_mode="ovpn" ◆ profile_reconnect=true ◆ profile_sso_auth=true ◆ profile_system_profile=false ◆ profile_timeout=false ◆ remote="43.204.95.54" ◆ state_closed=false ◆ state_closed_waiters=0 ◆ state_deadline=false ◆ state_delay=false ◆ state_id="32c69ac32b656251" ◆ state_interactive=false ◆ state_no_reconnect=false ◆ state_stop=false ◆ state_system_interactive=false ◆ state_temp_paths=[]string{} ◆ state_time=time.Date(2025, time.January, 21, 14, 39, 33, 820611000, time.Local) ◆ wg_bash_path="/Applications/Pritunl.app/Contents/Resources/bash" ◆ wg_conf_path="" ◆ wg_conf_path2="" ◆ wg_connected=false ◆ wg_last_handshake=0 ◆ wg_path="/Applications/Pritunl.app/Contents/Resources/wg" ◆ wg_priv_key=false ◆ wg_pub_key=false ◆ wg_quick_path="/Applications/Pritunl.app/Contents/Resources/wg-quick" ◆ wg_server_pub_key=false ◆ wg_sso_start=time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC) ◆ wg_sso_token=false ◆ wg_util_path=""
[2025-01-21 14:39:33][ERRO] ▶ profile: All connection requests failed
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=EzRLdAQCJRCWAFhq exit_code=null output=Swift/ErrorType.swift:253: Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:* kid=0000000000000000>: unable to generate key" UserInfo={NSDebugDescription=<sepk:* kid=0000000000000000>: unable to generate key, AKSError=-536870174}
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Open
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:61 +0x102a7a870
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).encryptReqBox
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:708 +0x102a8d823
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).EncRequest
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:944 +0x102a8ef0b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:545 +0x102a8cae7
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).connectPreAuth
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:287 +0x102a8b2ef
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).Start
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:189 +0x102a8a4ff
github.com/pritunl/pritunl-client-electron/service/connection.(*Ovpn).Start
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/ovpn.go:107 +0x102a9196f
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Start
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/connection.go:127 +0x102a91958
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Restart
    /Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/connection.go:152 +0x102a91d77
runtime.goexit
    /opt/homebrew/Cellar/go@1.22/1.22.8/libexec/src/runtime/asm_arm64.s:1222 +0x102546343
[2025-01-21 14:39:33][ERRO] ▶ connection: Disconnecting ◆ client_disconnect=true ◆ client_disconnect_waiters=0 ◆ client_disconnected=false ◆ client_provider=true ◆ client_startime=0 ◆ data_iface="" ◆ data_mode="" ◆ data_remotes=[]string{"43.204.95.54"} ◆ data_status="connecting" ◆ data_timestamp=0 ◆ data_tun_iface="" ◆ ovpn_auth_failed=false ◆ ovpn_cmd=false ◆ ovpn_connected=false ◆ ovpn_dir="" ◆ ovpn_last_auth_failed=-1 ◆ ovpn_management_pass=false ◆ ovpn_management_port=0 ◆ ovpn_path="/Applications/Pritunl.app/Contents/Resources/pritunl-openvpn" ◆ ovpn_remotes=[]string{} ◆ ovpn_running=0 ◆ ovpn_tap_iface="" ◆ profile_device_auth=true ◆ profile_disable_dns=false ◆ profile_disable_gateway=false ◆ profile_dynamic_firewall=false ◆ profile_force_connect=false ◆ profile_force_dns=false ◆ profile_geo_sort=false ◆ profile_id="7602ea2d1b16da0d" ◆ profile_mode="ovpn" ◆ profile_reconnect=true ◆ profile_sso_auth=true ◆ profile_system_profile=false ◆ profile_timeout=false ◆ state_closed=false ◆ state_closed_waiters=0 ◆ state_deadline=false ◆ state_delay=false ◆ state_id="32c69ac32b656251" ◆ state_interactive=false ◆ state_no_reconnect=false ◆ state_stop=true ◆ state_system_interactive=false ◆ state_temp_paths=[]string{} ◆ state_time=time.Date(2025, time.January, 21, 14, 39, 33, 820611000, time.Local) ◆ wg_bash_path="/Applications/Pritunl.app/Contents/Resources/bash" ◆ wg_conf_path="" ◆ wg_conf_path2="" ◆ wg_connected=false ◆ wg_last_handshake=0 ◆ wg_path="/Applications/Pritunl.app/Contents/Resources/wg" ◆ wg_priv_key=false ◆ wg_pub_key=false ◆ wg_quick_path="/Applications/Pritunl.app/Contents/Resources/wg-quick" ◆ wg_server_pub_key=false ◆ wg_sso_start=time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC) ◆ wg_sso_token=false ◆ wg_util_path=""
[2025-01-21 14:39:40][INFO] ▶ utils: Clearing DNS state

That most likely indicates that system doesn’t have a Secure Enclave. All Apple Silicon computers have it. For Intel systems it is located on the T2 chip, check the list of systems on the Apple T2 Wiki.

You will need to create a second server without device authentication. The users organization can then be added to that server. Groups can the be used to limit it to only users who don’t have a supported device. This can be done by adding a group in the advanced server settings then adding that group to the user that doesn’t have a supported device in the advanced user settings.