Help

Disable password login for Smart Card accounts

dascione
New Contributor II

Posted on ‎01-21-2020 02:48 PM

Our environment is split between users that are required to login with Smart Cards and users that login with username/password credentials, based on permissions. In this scenario I cannot push a configuration profile that enforces smart card login only, as it breaks my username/password users, and just allowing Smart Card login allows those users to set a keychain password and bypass SC login with that password.

We're using AD bound machines and the smart card authentication is mapped to the certificate in AD, that part is working. I'm looking for a way to force macOS to abide by the 'Smart card is required for interactive logon' flag in AD, but allow users without that flag to login with username/password.

Any help is greatly appreciated, thanks!

0 Kudos
3 REPLIES 3

boberito
Valued Contributor

Posted on ‎01-21-2020 08:19 PM

In 10.15 you can set up the /etc/SmartcardLogin.plist to exclude groups from being smartcard mandatory. There's not really a way in other versions of the systems. But you can find all the info on that if you do man SmartCardServices.

0 Kudos

KMJNOAA
New Contributor II

Posted on ‎01-31-2020 12:40 PM

Thanks very much. I did receive and email from an Apple engineer, Jamie Richardson (you?) with this suggestion. I'll give it a go and update this post with my results.

boberito
Valued Contributor

Posted on ‎01-31-2020 08:28 PM

Not me. I just know people to share things with and try to help the community when I can.

0 Kudos