Enable smart card support

Path

Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable smart card support

Description

Enable users to logon with smart cards. If you enable this group policy, it adds smart card support to the authorization database on Mac computers that are linked to the group policy object.

Centrify smart card support for macOS is based on the macOS modern native framework, CryptoTokenKit.

See Configuring a Mac computer for smart card login for details.

Select "Enable smart card support for the SUDO command", then when executing the SUDO command, smart card user can authenticate identity by smart card PIN.

Select "Enable smart card support for the SU command", then when executing the SU command, smart card user can authenticate identity by smart card PIN.

Select "Enable smart card support for the LOGIN command", then when executing the LOGIN command, smart card user can authenticate identity by smart card PIN.

Select "Enforce smart card login", then only smart card users with a smart card can log in to the Mac machine.

Edit "Exception group" to add a exception group for the "Enforce smart card login", then any users belong to this group always can log in to the Mac machine by a username and password. In general, we recommend set a exception group, for example, admin, when the "Enforce smart card login" is selected.

Select one of options in "Certificate trust behavior" to set smart card certificate trust behavior, the meaning of number:

0: Smart card certificate trust isn’t required.

1: Smart card certificate and chain must be trusted.

2: Certificate and chain must be trusted and not receive a revoked status.

3: Certificate and chain must be trusted and revocation status is returned valid.

Once enabled, this policy takes effect dynamically at the next group policy refresh interval.