1. Home
  2. macOS
  3. How to Configure Smart Card Authentication for macOS Devices using Hexnode MDM

How to Configure Smart Card Authentication for macOS Devices using Hexnode MDM

Users can use their Smart Card to login to their macOS devices thus ensuring more privacy and security. Hexnode MDM enables you to configure Smart Card Authentication for macOS devices. This functionality is supported on devices running macOS 10.12.4 and above.

Configure Smart Card Authentication

  1. Login to your Hexnode MDM portal.
  2. Go to Policies > New Policy. Assign a suitable name and description (optional) for the policy. Alternatively, you can choose to continue with an existing policy.
  3. From macOS > Security, choose Smart Card Authentication. Click Configure.

You will have the following options to be configured.

configure smart card authentication

Settings Description
Show user pairing dialog Check this option enables the user to receive the pairing dialog. If disabled, the user won’t get the pairing dialog. However, the existing pairings will continue to work.
Unlock via Smart Card Check this option to use the smart card for login, authorization and screensaver unlocking. If disabled, the users won’t be able to use smart card for the above-mentioned purposes. But it can still be used for web access and signing emails. The device must be restarted for the change in settings to take effect.
Verify Certificate Trust This option is used to determine the credibility of the certificate. A certificate is determined as valid only if the following conditions are met.

  • It passes CRL and OCSP check.
  • It is not expired.
  • The Issuer is system trusted.

You can select among any of the four available options here.

  1. Turn off certificate validity check – Here the certificate trust check is turned off.
  2. Turn on certificate validity check – Here the certificate trust check is turned on. A standard validity check is performed. However, no additional revocation checks are carried out.
  3. Certificate validity check is turned on and a soft revocation check is turned on. – While the certificate undergoes CRL/OSCP check, it may be accepted / rejected.
    • Soft Revocation check: The certificate is considered valid, until it is explicitly rejected by CRL/OSCP check.
  4. Certificate validity check is turned on and a hard revocation check is turned on. – While the certificate undergoes CRL/OSCP check, it may be accepted / rejected.
    • Hard Revocation check: The certificate is considered valid, until the CRL/OSCP check says, “this certificate is OK”.

By default, the certificate trust is turned off.

Allow one smart card per user Check this option to allow the user to pair with only one smart card. However, the existing pairings will still be allowed.
Enable Screensaver on Smart Card removal
(macOS 10.13.4+)
Check this option to enable screensaver on Mac if the smart card has been removed.

Associate the policy to target entity

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click Ok.
  3. Click Save.

Apart from devices, you can also associate the policies to device groups, users, user groups or domains from Policy Targets.

If the policy has been saved,

  1. From Policies, select the policy to be associated.
  2. Click on Manage drop-down and select Associate Targets.
  3. Choose the target devices and click Associate.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment