I've read pretty much everything I can find around Smartcards and FileVault. We are getting ready to do a pilot with our Mac folks, and the last thing I am working on is what to do for FileVault, since Smartcards are not supported. What is everyone's best practice for that?
We currently use local accounts and sync to AD with NoMAD. Do I keep the username and password workflow the same and just disallow login with those credentials? What about net new users after we flip the Smartcard required bit in AD? Will I be completely hosed with zero-touch and all of that if I do it that way?
Our Microsoft side uses a pin that never changes with Bitlocker, for reference.
Any guidance from folks that have done this is appreciated.
I have users unlock FV with their username and password, with automatic login disabled at Login Window so they have to use their smart cards and PINs to actually log in.
We're bound to AD and we use Enterprise Connect to sync network/FV passwords and handle Kerberos. Enforcing machines through AD doesn't seem to affect the Macs at all.
Basically you want two configuration profiles: Login Window with "Disable automatic login" and Smart Card with "Allow Smart Card" and "Enforce Smart Card use".