Category Filter

How to Configure Smart Card Authentication for macOS Devices

A smart card is an access-control device that generally contains one or more security certificates for user authentication. The certificates, in combination with a user’s smart card PIN, can be used to authenticate the user.

Users can make use of their smart cards to log in to their Macs. Smart Card Authentication requires the users to possess their smart card and enter the smart card PIN to log in to their Mac devices. The authentication via smart card credential ensures more security and privacy than a normal device password because it uses encryption key for the process. This is because the former requires the possession of both the smart card and the pin for login. In the case of the latter, if the password is compromised, the data becomes vulnerable.

Hexnode MDM simplifies the process of Mac management by enabling IT admins to remotely configure smart card authentication settings for Macs. The admins can enable user login via smart cards, enforce users to pair with a single smart card, verify the authenticity of the certificate, and much more.

Note:

  • This feature works on devices running macOS 10.12.4 and later.

Configure Smart Card Authentication settings

  1. Log in to your Hexnode MDM portal.
  2. Go to Policies > New Policy. Assign a suitable name and description (optional) for the policy. Alternatively, you can choose to continue with an existing policy.
  3. From macOS > Security, choose Smart Card Authentication. Click Configure.

Next, configure the below smart card authentication settings:

configure smart card authentication for macOS

Settings Description
Show user pairing dialog Checking this option enables the user to see any new pairing dialogs. If disabled, the user won’t get the pairing dialog when he/she inserts an unpaired card into the system. However, the existing pairings will continue to work.
Unlock via Smart Card Check this option to allow users to use their smart cards for logins, authorizations, and screensaver unlocking. If disabled, the users won’t be able to use smart cards for the above-mentioned purposes. However, it can still be used for web access and signing emails. The device must be restarted for the change in settings to take effect.
Verify Certificate Trust Select the setting required to determine the credibility of the certificate file. The following conditions determine whether a certificate is valid:
  • It passes CRL and OCSP checks.
  • The certificate is within its validity period.
  • The system trusts the issuer of the certificate.

You can select among any of the four available options here.

  1. Turn off certificate validity check (default) – Select this option to turn off the certificate trust check. This setting trusts every certificate and hence, is only suitable for users with self-signed certificates. This is the least secure setting, and therefore, corporate systems should adopt a more secure option to handle certificates.
  2. Turn on certificate validity check – Select this option to turn on the certificate trust check. This setting ensures that the certificate is within its validity period and that the system trusts the issuer of the certificate. However, this setting does not include additional revocation checks.
  3. Certificate validity check is turned on and a soft revocation check is turned on. – Select this option to turn on the certificate trust check and also, to set the revocation check to the soft level. While the certificate undergoes CRL/OCSP check, it may be accepted/rejected. In a soft revocation check, the certificate is considered valid until it is explicitly rejected by the CRL/OCSP check.
  4. Certificate validity check is turned on and a hard revocation check is turned on. – Select this option to turn on the certificate trust check and also, to set the revocation check to the hard level. While the certificate undergoes CRL/OCSP check, it may be accepted/rejected. In a hard revocation check, the certificate is considered invalid until the CRL/OCSP check says, “this certificate is OK”. This setting is the most secure option.
Allow one smart card per user Check this option to allow the user to pair with only one smart card. However, the existing pairings for that user will still work.
Enable Screensaver on Smart Card removal
(macOS 10.13.4+)
Check this option to automatically enable screensaver on Mac if the smart card has been removed.

Associate the policy with target macOS devices

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click Ok.
  3. Click Save.

Apart from devices, you can also associate the policies with Device Groups, Users, User Groups, or Domains from Policy Targets.

If the policy has been saved,

  1. From Policies, select the policy to be associated.
  2. Click on Manage drop-down and select Associate Targets.
  3. Choose the target devices and click Associate.