Question

Mojave Smart Card exclusions

Forum|Forum|5 years ago
April 15, 2020
4 replies
34 views

+1

gothbot6k

Hey everyone,

I was wondering if anyone knows a way to enable Force Smart Card Login and make exclusions for specific users in MacOS Mojave?

I have to make Smart Cards mandatory through a mobileconfig policy thats been provided and by also making changes to /etc/pam.d . Ideally in a perfect world we would have this enforced for standard user accounts but not enforce it for local admin accounts.

From my understanding Catalina added smart card services and you could exclude specific users but with Mojave it appears to not be the case.

In doing some reading I’ve found that in the Linux world I could create a group and then assign users to that group and then exclude that group from Pam.d requirements. However in attempting to implement this it seems the commands do not traverse between Linux and MacOS.

Any ideas/input would be greatly appreciated! I have a feeling it can be done with messing with Pam.d configuration but I’m seeing very little covering this topic/issue.

+22

boberito
Jamf Heroes
Forum|Forum|5 years ago
April 15, 2020

You can only do this in Catalina. Mojave does NOT support exemption by users(or groups). It's all or none pre-10.15.

Like

+21

mvu
Jamf Heroes
Forum|Forum|5 years ago
August 12, 2020

Hi @boberito, how do you exempt a local admin account?

We are testing Smart Card enforcement for 10.15 Macs. So far, so good. We rolled out the SmartCardlogin.plist to private/etc location. We set up a config profile in Jamf Pro to enforce the Smart Cards. For AD users, it's plug-in and play and works nicely.

But how exempt our local admin account (example: jamfadmin123) to login and authenticate to do administrative work? Right now, the account is useless. I tried to "exclude" and "limit" the username of our admin account in the scope, but that doesn't work. Maybe because we hide the account?