Mojave Smart Card exclusions

New Contributor

Hey everyone,

I was wondering if anyone knows a way to enable Force Smart Card Login and make exclusions for specific users in MacOS Mojave?

I have to make Smart Cards mandatory through a mobileconfig policy thats been provided and by also making changes to /etc/pam.d . Ideally in a perfect world we would have this enforced for standard user accounts but not enforce it for local admin accounts.

From my understanding Catalina added smart card services and you could exclude specific users but with Mojave it appears to not be the case.

In doing some reading I’ve found that in the Linux world I could create a group and then assign users to that group and then exclude that group from Pam.d requirements. However in attempting to implement this it seems the commands do not traverse between Linux and MacOS.

Any ideas/input would be greatly appreciated! I have a feeling it can be done with messing with Pam.d configuration but I’m seeing very little covering this topic/issue.


Valued Contributor

You can only do this in Catalina. Mojave does NOT support exemption by users(or groups). It's all or none pre-10.15.

Valued Contributor

Hi @boberito, how do you exempt a local admin account?

We are testing Smart Card enforcement for 10.15 Macs. So far, so good. We rolled out the SmartCardlogin.plist to private/etc location. We set up a config profile in Jamf Pro to enforce the Smart Cards. For AD users, it's plug-in and play and works nicely.

But how exempt our local admin account (example: jamfadmin123) to login and authenticate to do administrative work? Right now, the account is useless. I tried to "exclude" and "limit" the username of our admin account in the scope, but that doesn't work. Maybe because we hide the account?



New Contributor III

Valued Contributor

@sgrall That worked, thank you! I can confirm it works for 10.15, not 10.13.