Enabling smart card support

 

To enable smart card support for logging on

  1. Make sure that you have configured the Centrify Agent to have full disk access.

  2. Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac computers.

  3. In the Group Policy Management Editor, expand Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable smart card support.

  4. Select Enabled to enable smart card support.

  5. Select any of the following smart card options:

    • Enable smart card support for the SUDO command: When executing the SUDO command, the smart card user can authenticate by entering their smart card PIN.

    • Enable smart card support for the SU command: When executing the SU command, the smart card user can authenticate by entering their smart card PIN.

    • Enable smart card support for the LOGIN command: When executing the LOGIN command, the smart card user can authenticate by entering their smart card PIN.

    • Enforce smart card login: Users can only log in to the Mac computer by way of smart card login.

    • Exception group: Any users who belong to this group can always log in to the Mac computer with user name and password (no smart card required). In general, we recommend that you set an exception group, such as admins, when you select the option to enforce smart card login.

    • Certificate trust behavior: You can select one of these numbers to set smart card certificate behavior. The numbers mean the following:

      • 0: Smart card certificate trust isn’t required.

      • 1: Smart card certificate and certificate chain must be trusted.

      • 2: Certificate and certificate chain must be trusted and not receive a revoked status.

      • 3: Certificate and certificate chain must be trusted and revocation status is returned valid.

  6. Because smart card login is not password-based, do not enable the "Enable Keychain synchronization" group policy: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Keychain synchronization

  7. If FileVault is enabled on your Mac, please enable the "Disable automatic login" group policy: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > FileVault2 > Disable automatic login.

    The policy takes effect dynamically at the next group policy refresh interval or after you run adgpupdate.