Hi Team,
We have enabled Device Authentication. However, an issue arises when an administrator resets a user’s device password. Due to our password policy, which requires a password change every 90 days, failure by the user to update their password results in the MDM tools (https://endpointcentral.manageengine.com/) automatically resetting it. Subsequently, users are unable to connect to Pritunl, encountering the error “Failed to connect to profile.”
This is a service log for the Pritunl Client:
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x102df4c2c
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2256 +0x102e03833
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1969 +0x102e0230b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1375 +0x102dff02b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1358 +0x102dfee5b
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:108 +0x102e1edc3
runtime.goexit
/opt/homebrew/Cellar/go/1.21.3/libexec/src/runtime/asm_arm64.s:1197 +0x1028f0593
[2024-01-16 09:29:35][WARN] ▶ profile: Request ovpn connection error
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=kK46uDIxItYvezrs exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=CryptoTokenKit Code=-3 "<sepk:p256 kid=f314516529490837>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256 kid=f314516529490837>: unable to sign digest, AKSError=-536363001}
The issue seems to be related to the keychain. It would not have occurred if the user had changed their password themselves instead of having it reset.
The affected devices are Macbook Pro/Air M2 with the following OS versions: 13.2, 13.4, 13.6.1, and 14.2.1.