Safari prompts for client certificate on Google DoubleClick after macOS enrollmentSolved

Hello,

Thanks for reaching out to Hexnode Connect.

This is a known interaction that occurs when Safari tries to use the Hexnode SCEP certificate as a client authentication certificate for the DoubleClick endpoint.

When DoubleClick’s server requests a client certificate, Safari checks the keychain, sees the Hexnode SCEP Root CA, and prompts the user to confirm its use. You can manually suppress this by creating an Identity Preference in Keychain Access:

1. Open Keychain Access on the Mac.
2. Under System Keychains on the sidebar, select System.
3. Locate and select the certificate named Hexnode UEM – SCEP Root CA.
4. From the macOS menu bar, navigate to File > New Identity Preference.
5. Set the Location or Email Address field to the affected DoubleClick URL or domain (e.g., [https://ad.doubleclick.net/](https://ad.doubleclick.net/)).
6. Leave the selected certificate as the Hexnode SCEP certificate and click Add.

Once this identity preference is established, Safari will automatically submit the certificate silently in the background. Because the DoubleClick endpoint does not actually recognize or require it, it rejects the certificate silently without throwing the user-facing prompt, and the web page continues loading normally.

I hope this helps. If you find any more issues or need further assistance feel free to reach out.

Best regards,
George,
Hexnode UEM

Thanks, George. I tested that manual Keychain fix on a test Mac and it worked perfectly—no more pop-ups. However, we really need to apply this fix across our entire deployed fleet. Since it is a certificate/keychain setting, can this be pushed as a configuration profile payload directly from the Hexnode portal?

Hello,

Currently, there is no built-in Hexnode configuration profile payload specifically designed for creating Safari identity preferences.

However, you can automate this exact change across your entire fleet by deploying a custom bash script through a Hexnode macOS policy. The security command-line tool in macOS allows you to script the creation of identity preferences. Here is how you can deploy it:

1. Create a bash script that uses the security set-identity-preference command to bind the Hexnode SCEP certificate to the DoubleClick domain.
2. In your Hexnode portal, navigate to Policies > New Policy (or edit an existing macOS policy).
3. Go to macOS > Configurations > Scripts.
4. Upload your script file.
5. Set the Binary Path to /bin/bash. (If it auto-fills as /bin/sh, make sure to change it).
6. Configure the script to run with Root privileges, as modifying the System Keychain requires elevated permissions.
7. Set the execution frequency to Every Device Startup or Daily to ensure the setting persists or reapplies if cleared.
8. Assign the policy to your target Macs or device groups and save.

Please ensure you test your custom script thoroughly on a single machine before deploying it to your wider fleet.

I hope this helps. If you find any more issues or need further assistance feel free to reach out.

Best regards,
George,
Hexnode UEM