Use a smart card on Mac
The default method of smart card usage on Mac computers is to pair a smart card to a local user account; this method occurs automatically when a user inserts their card into a card reader attached to a computer. The user is prompted to “pair” the card with their account and requires admin access to perform this task (due to pairing information being stored in the user’s local directory account) This method is called local account pairing. If a user doesn’t pair their card when prompted, the user can still use the card to access websites but is unable to log in to their user account with the smart card. Smart cards can also be used with a directory service. To use the smart card for login, it must be either paired or configured to work with a directory service.
Local account pairing
The steps below describe the local account pairing process:
Insert a PIV smart card or hard token that includes authentication and encryption identities.
Select Pair at the notification dialog.
Provide administrator account credentials (user name/password).
Provide the four-to-six-digit personal identification number (PIN) for the inserted smart card.
Log out and use the smart card and PIN to log back in.
Local account pairing can also be accomplished with the command-line and an existing account. For more information, see Configure a Mac for smart card–only authentication.
Attribute mapping with Active Directory
Smart cards can be authenticated against Active Directory using attribute mapping. This method involves having an Active Directory bound system and setting appropriate matching fields in the file /private/etc/SmartcardLogin.plist. This file must have world-readable permissions to function properly. The following fields in the PIV Authentication certificate can be used to map attributes to corresponding values in the directory account:
Common Name
RFC 822 Name (email address)
NT Principal Name
Organization
OrganizationalUnit:1
OrganizationalUnit:2
OrganizationalUnit:3
Country
Multiple fields may also be concatenated to produce a matching value in the directory.
Before the user can take advantage of this feature, their Mac must be configured with the appropriate attribute mapping and the local pairing user interface must be turned off. A user must have local administrator permissions to complete this task.
To turn off the local pairing dialog, open the Terminal app, then type:
sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool NO
The user can then enter their password when prompted.
As soon as the Mac is configured, a user simply inserts a smart card or token to create a new user account. They’re prompted to enter their pin and create a unique keychain password that is wrapped by the encryption key in the smart card. Accounts can be configured for network user accounts or mobile user accounts.
Note: The presence of the /private/etc/SmartcardLogin.plist file takes precedence over paired local accounts.
Network user account with attribute mapping example
Below is an example SmartcardLogin.plist file where mapping correlates the Common Name and the RFC 822 Name on the PIV Authentication certificate to match the longName
attribute in Active Directory:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttributeMapping</key>
<dict>
<key>fields</key>
<array>
<string>Common Name</string>
<string>RFC 822 Name</string>
</array>
<key>formatString</key>
<string>$1</string>
<key>dsAttributeString</key>
<string>dsAttrTypeNative:longName</string>
</dict>
</dict>
</plist>
Mobile user account with attribute mapping example
When binding to Active Directory, select the “Create mobile account at login” preference to allow mobile accounts for offline login. This mobile user feature is supported with Kerberos attribute mapping, and configured in the Smartcardlogin.plist file. This configuration is also useful in environments where a Mac may not always be able to reach directory server. However, initial account setup requires machine binding and access to the directory server.
Note: If you’re using mobile accounts, the first time one is created, the initial login must use the associated password of the account. This process ensures a Secure Token is obtained so further logins can unlock FileVault. After the initial password-based login, smart card-only authentication can be used.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttributeMapping</key>
<dict>
<key>fields</key>
<array>
<string>NT Principal Name</string>
</array>
<key>formatString</key>
<string>Kerberos:$1</string>
<key>dsAttributeString</key>
<string>dsAttrTypeStandard:AltSecurityIdentities</string>
</dict>
</dict>
</plist>
Enabling the screen saver on token removal
The screen saver can be configured to start automatically when a user removes their token. This option appears only after a smart card has been paired. There are two main ways to accomplish this:
In Privacy & Security settings on the Mac, use the Advanced button and select “Turn on screen saver when login token is removed.” Make sure the screen saver settings are configured, then select “Require a password immediately after sleep or screen saver begins.”
In a mobile device management (MDM) solution, use the
tokenRemovalAction
key.