Enabling smart card support (including authentication via YubiKey tokens)

Smart card and YubiKey token support requires configuration changes to Mac OS X. Enabling the relevant policies makes the required changes to Mac configuration files.

To enable smart card support for logging on

  1. Make a backup of the authorization database by exporting it to a plist file on all computers for which you are enabling smart card login support. Enabling the group policy Enable smart card support causes edits to this file, so you should create a backup to be safe.
    security authorizationdb read system.login.console > system.login.console.backup.plist 
    security authorizationdb read authenticate > authenticate.backup.plist
  2. Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac computers.

  3. In the Group Policy Management Editor, expand Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security, then double-click Enable smart card support.

  4. Select Enabled to enable smart card support.

    This group policy adds smart card support to the authorization database on Mac computers that are linked to the group policy object. This policy also creates a text file named /etc/cacloginconfig.plist on each computer.

    This configuration file directs the Mac smart card log-in to look for a user in Active Directory with a user principal name (UPN) that is the same as the NT Principal Name attribute in the smart card log-in certificate.

    Note:   The /etc/cacloginconfig configuration file for use with Access Manager and Active Directory is different from the default configuration file provided by Apple.

  5. Select Enable YubiKeys as a smart card to enable authentication using a YubiKey PIV token.

    Enabling YubiKeys as a smart card installs Yubico’s libccid to enable communication to the YubiKey using CCID protocol. To authenticate with a YubiKey PIV token, the certificates issue to the YubiKey must be part of a domain that is already provisioned and setup to accept PIV smart cards. See https://support.yubico.com/support/solutions for more information about YubiKeys.

After reboot, the computers linked to the group policy object are ready for smart card use. Complete the procedure in the next section if you plan to use multi-user smart cards with your Mac computers, or go to Enabling screen locking for smart card removal to enable screen locking when the smart card is removed from a computer.