Configuring a Mac Computer for Smart Card Login

This section explains how to set up smart card login for a Mac computer:

Understanding Smart Card Login

Supported Smart Card Types

Configuring Smart Card Login

Using smart card login

Troubleshooting Smart Card Login

Other Functions of Smart Card Support on macOS

Known Issues of Using SmartC with macOS

Understanding Smart Card Login

Smart cards provide an enhanced level of security authentication for logging into an Active Directory domain. To configure a smart card for use on a Mac computer that is running the DirectControl agent, requires that you have already set up a smart card for use in a Windows domain. You do not need to add any smart card infrastructure to the Mac computer, other than a smart card reader and a provisioned smart card.

If you have set up smart card login for Windows clients in a domain, you can use Access Manager to configure smart card login for Mac clients joined to the same domain. If you have provisioned a smart card for use on a Windows computer once you configure smart card support for a Mac computer, you can use the same smart card to log in to a Mac computer.

Supported Smart Card Types

Delinea Smart Card Support for MacOS is based on the MacOS modern native framework, CryptoTokenKit. TokenD is no longer supported.

For macOS 10.15 and later, Delinea supports personal identity verification (PIV) smart cards, USB CCID class-compliant readers, and hard tokens that support the PIV standard.

Configuring Smart Card Login

Delinea provides group policies, configuration options, and account options to perform the smart card configuration tasks desribed below.

Before configuring smart card login, refer to the next section, Verifying Prerequisites for Configuring Smart Card Login to ensure your environment meets all the prerequisites.

Verifying Prerequisites for Configuring Smart Card Login

  • Make sure that your smart card is supported by MacOS.

    MacOS 10.15 and later supports personal identity verification (PIV) smart cards, USB CCID class-compliant readers, and hard tokens that support the PIV standard.

    • Provision a smart card with an NT principal name and PIN.
    • Verify that the Active Directory user’s UPN matches the UPN on the smart card.
    • Make sure that there are at least two certificates in your smart card; these two certificates are for two different purposes: "Signature and smartcard logon" and "Encryption." MacOS will use the certificate which purpose is "Signature and smartcard logon" to logon, and use the certificate which purpose is "Encryption" to encrypt and decrypt the user's Keychain automatically. If there is no certificate which is for "Encryption", the user will need to input the Keychain password every time when that they log in.

  • Make sure that your smart card is able to log in to a Windows computer.

    If a user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Mac computer, the user should be able to log in to the Mac computer once you configure it for smart card support.

Enabling Smart Card Support

To enable smart card support for logging on

  1. Make sure that you have configured the Delinea Agent to have full disk access.

  2. Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac computers.

  3. In the Group Policy Management Editor, expand Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable smart card support.

    Alt

  4. Select Enabled to enable smart card support.

  5. Select any of the following smart card options:

    • Enable smart card support for the SUDO command: When executing the SUDO command, the smart card user can authenticate by entering their smart card PIN.
    • Enable smart card support for the SU command: When executing the SU command, the smart card user can authenticate by entering their smart card PIN.
    • Enable smart card support for the LOGIN command: When executing the LOGIN command, the smart card user can authenticate by entering their smart card PIN.
    • Enforce smart card login: Users can only log in to the Mac computer by way of smart card login.
    • Exception group: Any users who belong to this group can always log in to the Mac computer with user name and password (no smart card required). In general, we recommend that you set an exception group, such as admins, when you select the option to enforce smart card login.
    • Certificate trust behavior: You can select one of these numbers to set smart card certificate behavior. The numbers mean the following:
      • 0: Smart card certificate trust isn’t required.
      • 1: Smart card certificate and certificate chain must be trusted.
      • 2: Certificate and certificate chain must be trusted and not receive a revoked status.
      • 3: Certificate and certificate chain must be trusted and revocation status is returned valid.

  6. Because smart card login is not password-based, do not enable the "Enable Keychain synchronization" group policy: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Keychain synchronization

  7. If FileVault is enabled on your Mac, please enable the "Disable automatic login" group policy: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > FileVault2 > Disable automatic login.

    The policy takes effect dynamically at the next group policy refresh interval or after you run adgpupdate.

Verifying Smart Card Configuration

After enabling smart card support as described above in Configuring Smart Card Login, do the following to verify that a smart card is working:

  1. Insert the smart card into the reader.

  2. Open the Terminal.app and run the following command:

    % sc_auth identities

    You should see that the smart card has paired to the Active Directory user. For example:

SmartCard: com.apple.pivtoken:00000000000000000000000000000000
Paired identities which are used for authentication:
9800A35AD2A41AEFB03CF431B76BA194E22F48EE    pivau1 - Certificate For PIV Authentication (PIV AU 1)
You never need to pair your smart card manually. If you see the following SmartCard Pairing dialog, that means that the smart card support is not ready. Please re-check the smart card support GP and then excute the command adgpupdate.

Alt

Enabling the Screen Saver for Smart Card removal

Currently, we don't have a group policy to enable the screen saver when the smart card is removed. Please use the group policy entitled "Specify multiple login scripts" to deploy the following script:

#!/bin/bash
user_name=ls -l /dev/console | cut -d " " -f 4
defaults write /Users/$user_name/Library/Preferences/com.apple.screensaver tokenRemovalAction -int 1
chown $user_name:staff /Users/$user_name/Library/Preferences/com.apple.screensaver.plist
exit 0

The script sets the Mac to start the screen saver automatically when the smart card is removed.

Disabling Smart Card Support

To disable smart card support:

  1. Edit the Group Policy Object linked to a site, domain, or OU that includes Mac computers, expand Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable smart card support.
  2. Select Disabled and click OK.

Using Smart Card Login

When a user inserts a smart card into the card reader attached to a Mac computer that is waiting for login, the login screen is replaced by a smart card enabled login screen.

To log in with a smart card:

  1. Insert the smart card into the smart card reader.

    A login screen displays, prompting you to enter your PIN.

    Alt

  2. If the "Configure mobile account creation" group policy is enabled, you are prompted to create a mobile account.

    Alt

    If the Bypass the SecureToken dialog is not enabled, after creating the mobile account, you are prompted to authenticate the SecureToken.

    Alt

  3. The system will then prompt you to set a password for Keychain.

    The password can be the same as or different than your Active Directory password. For security reasons, the password here should not be the same as your smart card PIN.

    Alt

Troubleshooting Smart Card Login

If you have problems with smart card logon, Access Manager provides a command-line tool, sctool, which you can run to configure smart card logon, as well as to provide diagnostic information. See the sctool man page.

Additional smart card diagnostic procedures are provided in Diagnosing Smart Card Login Problems.

Other Functions of Smart Card Support on MacOS

MacOS 10.15 includes built-in support for the following capabilities:

  • Authentication: LoginWindow, PKINIT, SSH, Screensaver, Safari, authorization dialogs, and in third-party apps supporting CTK
  • Signing: Mail and third-party apps supporting CTK
  • Encryption: Mail, Keychain Access, and third-party apps supporting CTK

For more information, please see https://support.apple.com/guide/deployment-reference-macos/intro-to-smart-card-integration-apd1fa5245b2/1/web/1.0.

Known Issues of Using Smart Cards with Macos

Due to a limitation of MacOS, a smart card user cannot get the User Group Policy automatically. The Computer Group Policy works normally. The workaround is to run the following commands after logging in with a smart card:

% sctool -k

% adgpupdate

After you run the above commands, log out and log back in. Most User Group Policy should work normally.