Enable protected keychain
User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy Settings > Keychain Policies > Enable protected keychain
Create a new keychain protected by either an asymmetric token stored on a smart card or by a password, depending on the log in type. Enabling this policy requires users to have the smart card present to unlock the token-protected keychain.
When the smart card is renewed it will no longer unlock the protected keychain. There is no way to export a token-protected keychain; you will have to recreate the keychain items in the new token-protected keychain. In addition, if a smart card is lost, there is no way to recover items from the token-protected keychain.
The Set as user default keychain option is selected by default. This option is required to be able to log in with a password after this group policy takes effect. With this option set, the default keychain will be switched based on the login type (smart card login or password login). Deselect this option to leave the existing login keychain as the default keychain.
The Delete the Password protected ‘Login’ Keychain after login option is deselected by default. Select this option to delete the existing password-protected ‘Login’ Keychain after logging in with a smart card, leaving no keychains that can be unlocked without a smart card. This option is required to be able to log in with a password after this group policy takes effect without seeing keychain errors.
Note: This feature is not supported on OS X 10.10 and earlier.