Skip to main content

Our environment is split between users that are required to login with Smart Cards and users that login with username/password credentials, based on permissions. In this scenario I cannot push a configuration profile that enforces smart card login only, as it breaks my username/password users, and just allowing Smart Card login allows those users to set a keychain password and bypass SC login with that password.

We're using AD bound machines and the smart card authentication is mapped to the certificate in AD, that part is working. I'm looking for a way to force macOS to abide by the 'Smart card is required for interactive logon' flag in AD, but allow users without that flag to login with username/password.

Any help is greatly appreciated, thanks!

In 10.15 you can set up the /etc/SmartcardLogin.plist to exclude groups from being smartcard mandatory. There's not really a way in other versions of the systems. But you can find all the info on that if you do man SmartCardServices.

Thanks very much. I did receive and email from an Apple engineer, Jamie Richardson (you?) with this suggestion. I'll give it a go and update this post with my results.

Not me. I just know people to share things with and try to help the community when I can.

Terms & ConditionsCookie settingsAccessibility statement