Enable smart card support

Path

Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable smart card support

Description

Enable users to logon with smart cards. If you enable this group policy, it adds smart card support to the authorization database on Mac computers that are linked to the group policy object.

This policy also creates a text file named /etc/cacloginconfig.plist on each computer. This configuration file directs the Mac smart card log-in to look for a user in Active Directory with a user principal name (UPN) that is the same as the NT Principal Name attribute in the smart card log-in certificate.

See Configuring a Mac computer for smart card login for details.

Select Enable YubiKeys as a smart card to enable using YubiKeys as a smart card. Enabling YubiKeys as a smart card installs Yubico’s libccid to enable communication to the YubiKey using CCID protocol, allowing users to authenticate with a YubiKey PIV token. Unchecking this option does not remove Yubico’s libccid from impacted computers.

If you later disable this policy, the smart card support strings are removed from the authorization database and the /etc/cacloginconfig.plist file is deleted. Changing this policy to Not configured does not remove the smart card support strings nor remove the plist file. Once this policy is enabled, you must select Disabled to do this.

Once enabled, this policy takes effect dynamically at the next group policy refresh interval.

Once enabled, this group policy takes effect when the computer is rebooted.