1. Home
  2. macOS
  3. How to Configure Smart Card Authentication for macOS Devices using Hexnode MDM

How to Configure Smart Card Authentication for macOS Devices using Hexnode MDM

Users can make use of their smart card to login to their Macs. Smart Card Authentication requires the users to possess their smart card and enter the smart card PIN to log in to their Mac devices thus ensuring security and privacy than a normal device password.

Authentication via smart card ensures more security than passwords as the former requires the possession of both the smart card and the pin for login whereas in case of the latter if the password is compromised, the data becomes vulnerable. Hexnode MDM enables you to configure smart card authentication settings for Macs. This functionality is supported on devices running macOS 10.12.4 and later.

Configure Smart Card Authentication

  1. Login to your Hexnode MDM portal.
  2. Go to Policies > New Policy. Assign a suitable name and description (optional) for the policy. Alternatively, you can choose to continue with an existing policy.
  3. From macOS > Security, choose Smart Card Authentication. Click Configure.

You will have the following options to be configured.

configure smart card authentication

Settings Description
Show user pairing dialog Check this option enables the user to receive the pairing dialog. If disabled, the user won’t get the pairing dialog. However, the existing pairings will continue to work.
Unlock via Smart Card Check this option to use the smart card for login, authorization and screensaver unlocking. If disabled, the users won’t be able to use smart card for the above-mentioned purposes. But it can still be used for web access and signing emails. The device must be restarted for the change in settings to take effect.
Verify Certificate Trust This option is used to determine the credibility of the certificate. A certificate is determined as valid only if the following conditions are met.

  • It passes CRL and OCSP check.
  • It is not expired.
  • The Issuer is system trusted.

You can select among any of the four available options here.

  1. Turn off certificate validity check – Here the certificate trust check is turned off.
  2. Turn on certificate validity check – Here the certificate trust check is turned on. A standard validity check is performed. However, no additional revocation checks are carried out.
  3. Certificate validity check is turned on and a soft revocation check is turned on. – While the certificate undergoes CRL/OSCP check, it may be accepted / rejected.
    • Soft Revocation check: The certificate is considered valid, until it is explicitly rejected by CRL/OSCP check.
  4. Certificate validity check is turned on and a hard revocation check is turned on. – While the certificate undergoes CRL/OSCP check, it may be accepted / rejected.
    • Hard Revocation check: The certificate is considered valid, until the CRL/OSCP check says, “this certificate is OK”.

By default, the certificate trust is turned off.

Allow one smart card per user Check this option to allow the user to pair with only one smart card. However, the existing pairings will still be allowed.
Enable Screensaver on Smart Card removal
(macOS 10.13.4+)
Check this option to enable screensaver on Mac if the smart card has been removed.

Associate the policy to target entity

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click Ok.
  3. Click Save.

Apart from devices, you can also associate the policies to device groups, users, user groups or domains from Policy Targets.

If the policy has been saved,

  1. From Policies, select the policy to be associated.
  2. Click on Manage drop-down and select Associate Targets.
  3. Choose the target devices and click Associate.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment