Mojave Smart Card exclusions

gothbot6k
New Contributor

Hey everyone,

I was wondering if anyone knows a way to enable Force Smart Card Login and make exclusions for specific users in MacOS Mojave?

I have to make Smart Cards mandatory through a mobileconfig policy thats been provided and by also making changes to /etc/pam.d . Ideally in a perfect world we would have this enforced for standard user accounts but not enforce it for local admin accounts.

From my understanding Catalina added smart card services and you could exclude specific users but with Mojave it appears to not be the case.

In doing some reading I’ve found that in the Linux world I could create a group and then assign users to that group and then exclude that group from Pam.d requirements. However in attempting to implement this it seems the commands do not traverse between Linux and MacOS.

Any ideas/input would be greatly appreciated! I have a feeling it can be done with messing with Pam.d configuration but I’m seeing very little covering this topic/issue.

4 REPLIES 4

boberito
Valued Contributor

You can only do this in Catalina. Mojave does NOT support exemption by users(or groups). It's all or none pre-10.15.

mvu
Valued Contributor

Hi @boberito, how do you exempt a local admin account?

We are testing Smart Card enforcement for 10.15 Macs. So far, so good. We rolled out the SmartCardlogin.plist to private/etc location. We set up a config profile in Jamf Pro to enforce the Smart Cards. For AD users, it's plug-in and play and works nicely.

But how exempt our local admin account (example: jamfadmin123) to login and authenticate to do administrative work? Right now, the account is useless. I tried to "exclude" and "limit" the username of our admin account in the scope, but that doesn't work. Maybe because we hide the account?

90931882c4ec44269ee78a0186dcf4a5

de65136d0fe54813848ffce3ab9a34bc

sgrall
New Contributor III

https://support.apple.com/guide/deployment-reference-macos/configuring-macos-smart-cardonly-apdd3d1cd57d/web

mvu
Valued Contributor

@sgrall That worked, thank you! I can confirm it works for 10.15, not 10.13.