iCloud System Preferences Unlock with Smartcard

dascione
New Contributor II

We're using smartcards to login to our Macs, currently configured to be bound to the Active Directory account through a plist file, which works really well.  We can login, perform basic functions, install software by elevating with the card, etc.  When it comes to very specific system preference panes, we are unable to unlock or proceed using smartcard/pin.  I'm fairly certain this is an Apple limitation, but just wanted to be sure.  This has been consistent from 10.14 through Monterey.  Wondering if there's a setting we need to enable, or include in our plist to enable smartcard unlock for these panes.

The most prominent pane would be adding an iCloud account within Internet Accounts.  When binding to services, such as iCloud Keychain, it requests elevation and only accepts the account "password" which does not exist for these accounts, they are smartcard authentication only.

Any guidance would be greatly appreciated!

5 REPLIES 5

ljcacioppo
Contributor III

I know there are certain panes that require both smartcard and local password as well. My confusion is how were the accounts originally created on the computer if they were smartcard only, as the smartcard wouldn't have already been paired or mapped to the user if the account didn't exist.

dascione
New Contributor II

We're using the SmartcardLogin.plist to bind mobile accounts to our directory service. As long as the system has access to the directory service at the login screen, the first time they login, it will prompt them for a pin, and once logged in, create a mobile account with the appropriate bound certificate cache.

So these are mobile accounts then? If so, mobile accounts typically do cache a password upon user creation. With that being said, if a password was not used in user creation (and that's still news to me that you can do that), is it possible it cached the PIN as the login password? Have you tired using the PIN in the password field?

dascione
New Contributor II

Unfortunately we've already tried that. Previously in 10.15, we could theoretically use the backup keychain password, that gets created during first sign in, to login to the account. We've also tried that password to unlock that pane with no luck.

Was hoping there was a PAM module I could add the smartcard module to in order to fix it, but I've had no success there either.

Yea, Im unfamiliar with any PAM module for that. Sorry to not be of more help