Additionally, certificates and private keys stored on Mac clients are full-exportable. The delivery of digital certificates and private keys to Mac clients can conflict with your security policy design and weaken security posture.
As a result of the inherent differences between Mac and PC clients, a more user-intensive process is required to request certificates and a less secure manner is used to deliver and store them on Mac devices. Private key exposure and certificate transferability contradict most security policies, but are often accepted for Mac devices due to the lack of alternatives. To support legal non-repudiation, key pairs used for digital signature must be generated by the client software, must not be exportable or backed up and remain under user control at all times.