Configure the Passkey Attestation declarative configuration payload (com.apple.configuration.security.passkey.attestation) via MDM to enable attested passkey creation on managed devices running iOS 17+/macOS 14+
Set the relyingPartyIdentifiers key in the payload to the list of RP IDs that should receive hardware attestation; unmanaged origins receive no attestation
During WebAuthn registration, request attestation by setting attestation: 'enterprise' in PublicKeyCredentialCreationOptions; Apple will return an Apple Anonymous Attestation statement
Verify the returned attestation format 'apple' by checking that the nonce embedded in the certificate matches SHA-256 of the concatenation of authenticator data and client data hash
For unmanaged consumer passkeys, Apple sends attestation format 'none' with a zeroed AAGUID — this is expected and should not be treated as an error
Use the certificate chain in the x5c field to verify the attestation against Apple's attestation CA root available at https://www.apple.com/certificateauthority/private/
Known gotchas
iOS 26 introduced one-tap Account Creation API (ASAuthorizationAccountCreationProvider) for passwordless onboarding — this is distinct from a standard registration ceremony and has its own response handling
Consumer iCloud Keychain passkeys do not provide hardware attestation regardless of enterprise configuration; enterprise attestation only applies to Secure Enclave-backed device-bound passkeys on enrolled devices
The AAGUID for Apple platform authenticators is zeroed in consumer mode; do not use AAGUID as a reliable signal for Apple device type in non-enterprise contexts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp