Enabling protected keychains

On OS X 10.11, you can enable the Enable protected keychain group policy to create a keychain protected by either a smart card token or a password and set it as the default keychain, depending on the log in type. Once the Enable protected keychain group policy takes effect, the token-protected keychain can only be unlocked with a PIN when the associated smart card is present.

In addition, you can select options in the group policy that allow users who forget or lose their smart card to continue to log in with a password. In this case, a new password-protected keychain is created to ensure users can continue to log in to their account; however, keychain items are not transferred from the token-protected keychain to the password-protected keychain.

This feature is not supported on OS X 10.10 and earlier.

Note:   When the smart card is renewed it will no longer unlock the token-protected keychain. There is no way to export a token-protected keychain; you will have to recreate the keychain items in the new token-protected keychain. In addition, if a smart card is lost, there is no way to recover items from the token-protected keychain.

To create a smart card token protected keychain

  1. Enable the Enable protected keychain group policy (User Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Keychain Policies > Enable protected keychain).
  2. Select the Set as user default keychain option to make the protected keychain the default keychain.

    The group policy switches the default keychain depending on login type (smart card login or password login). This option is selected by default, and is required to be able to log in with a password after this group policy takes effect.

  3. Select the Delete the Password protected ‘Login’ Keychain after login option to delete the existing password protected ‘Login’ keychain.

    This removes existing keychains that can be unlocked without a smart card. This option is deselected by default, but is required to be able to log in with a password after this group policy takes effect without seeing keychain errors.

  4. Click Apply, then click OK.

    Once enabled, this policy takes effect at the next user login using smart card authentication. Connect only one smart card to the client machine to log in and create a token-protected keychain. Choosing a specific smart card to protect the keychain when multiple smart cards are present is not supported.

  5. (Optional) Set parameters for when to lock the protected keychain using the following two group policies.

    • Lock protected keychain after number of minutes of inactivity

    • Lock protected keychain when sleeping

    Note:   If you do not enable these policies, the default behavior for a new keychain is to lock after five minutes or when sleeping.

    Both of these policies take effect at the next user login using smart card authentication.