How To Install A Cac Card Reader On Mac

Utilize a smart menu in macOS

The default method of smart card usage in macOS occurs automatically when a user inserts their card into a bill of fare reader attached to the calculator. It prompts the user to "pair" the card with their business relationship. This method is chosen "Local Account Pairing." If a user doesn't pair their bill of fare when prompted, the user can yet use the card to access websites merely is unable to log in to their user account with the smart card. Smart cards tin can too be used with a directory service. To use the smart card for login, information technology must be either paired or configured to work with a directory service.

Local account pairing

The steps below describe the local account pairing process:

Insert a PIV smart bill of fare or difficult token that includes authentication and encryption identities
Select "Pair" at the notification dialog
Provide administrator account credentials (user proper name/password)
Provide the four–6 digit Personal Identification Number (PIN) for the inserted smart carte
Log out and utilise the smart card and Pivot to log back in

Local account pairing can besides exist achieved with the command-line and an existing account. For more data, see Configure macOS for smart card–simply authentication for details regarding this method of pairing.

Attribute mapping with Active Directory

Smart cards tin can be authenticated against Active Directory using attribute mapping. This method involves having an Agile Directory-bound system and setting appropriate information in the file /private/etc/SmartcardLogin.plist. This file must have world readable permissions in social club to function properly.

Before the user tin can take advantage of this feature, macOS must exist configured with the appropriate attribute mapping and the local pairing user interface must exist disabled. To disable the local pairing dialog, open the Concluding app, then type sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool NO and enter your local ambassador countersign when prompted.

As soon as macOS is configured, a user simply inserts a smart card or token to create a new user account. They are prompted to enter their pin and create a unique keychain password that is wrapped by the encryption cardinal in the smart carte du jour. Accounts tin can be configured for network user accounts or mobile user accounts.

Note: The presence of the /individual/etc/SmartcardLogin.plist file takes precedence over paired local accounts.

Network user business relationship with attribute mapping example

The following is an example SmartcardLogin.plist where mapping correlates the NT Primary Name on the PIV Authentication certificate to the userPrincipalName aspect in Active Directory:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple tree//DTD PLIST 1.0//EN" "http://world wide web.apple.com/DTDs/PropertyList-one.0.dtd"> <plist version="1.0"> <dict> <central>AttributeMapping</primal> <dict> <primal>fields</key> <array> <cord>NT Principal Name</string> </array> <key>formatString</fundamental> <string>$ane</string> <key>dsAttributeString</fundamental> <string>dsAttrTypeNative:userPrincipalName</string> </dict> </dict> </plist>

Mobile user account with aspect mapping example

When binding to Active Directory, selecting the "Create mobile account at login" preference allows the creation of mobile accounts for offline login. This mobile user characteristic is supported with the Kerberos attribute mapping, and information technology should be configured in the Smartcardlogin.plist. This configuration is as well useful in environments where a Mac may not always be able to reach directory server.

Note: Initial account setup requires automobile bounden and admission to the directory server.

The following example SmartcardLogin.plist file matches the Subject Alternative Name type, NT Principal Name, in the identity on the smart card against the Directory Server's altSecurityIdentities field (Kerberos), allowing for offline login and authentication:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple tree.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <fundamental>AttributeMapping</key> <dict> <cardinal>fields</key> <array> <string>NT Principal Name</string> </array> <cardinal>formatString</key> <cord>Kerberos:$one</cord> <key>dsAttributeString</key> <cord>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist>

Enabling screen saver on token removal

The screen saver can be configured to start automatically when a user removes their token. This choice appears only afterward a smart card has been paired. There are two primary means to accomplish this:

In the Security & Privacy preferences on the Mac, using the Advanced button and selecting "Turn on screen saver when login token is removed." Make sure the screen saver settings are configured and select "Require a countersign immediately after sleep or screen saver begins."
In a mobile device management (MDM) solution, use the tokenRemovalAction key.