Verifying prerequisites for configuring smart card login

  • Make sure that your smart card is supported by MacOS.

    MacOS 10.15 and later supports personal identity verification (PIV) smart cards, USB CCID class-compliant readers, and hard tokens that support the PIV standard.

    • Provision a smart card with an NT principal name and PIN.

    • Verify that the Active Directory user’s UPN matches the UPN on the smart card.

    • Make sure that there are at least two certificates in your smart card; these two certificates are for two different purposes: "Signature and smartcard logon" and "Encryption". MacOS will use the certificate which purpose is "Signature and smartcard logon" to logon, and use the certificate which purpose is "Encryption" to encrypt and decrypt the user's Keychain automatically. If there is no certificate which is for "Encryption", the user will need to input the Keychain password every time when that they log in.

  • Make sure that your smart card is able to log in to a Windows computer.

    If a user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Mac computer, the user should be able to log in to the Mac computer once you configure it for smart card support.

.