PIV Smart-Card issue after upgrading from Mojave to Catalina

fviola
New Contributor II

After I upgrade the Mac from Mojave to Catalina, the Mac does not recognize anymore the user PIV Smart-card anymore.

I think I read somewhere that I can fix this issue by running some command line or maybe a script before I upgrade the laptop from Mojave to Catalina. Or maybe unpair and repair again the User PIV Smart-card after the upgrade from Mojave to Catalina.

I also read somewhere that with Catalina some form of encryption authentication framework has been changed.

I am not sure what to do. How can I fix the issue?

Thank you for your help.

I have this screenshot but it does not give me any additional info.
0131d4fc74634fd09af4c10067484e18

4 REPLIES 4

boberito
Valued Contributor

macOS Catalina disables tokenD and relies only on CTK(cryptoTokenKit) which is how some older out of date software interacted with the smartcard. In all honesty, everyone who has gone from Mojave to Catalina has had significantly improved experience using smartcards. I've never seen this message before. So part of me wonders if it's from some third party software you have installed.

https://support.apple.com/en-us/HT210541

If you read the man page for "smartcardservices" you can read up and maybe understand more on smartcards in macOS.

You can also look at the logs for smartcard to see if there's any helpful information

log show --predicate '(subsystem == "com.apple.CryptoTokenKit")'

fviola
New Contributor II

@boberito Now that I am thinking I do have an application called hidglobal ActivID agent. hidglobal If you were me, should I try a Mojave system, remove first the ActivID agent and install Catalina or install Catalina first and remove the ActivID agent after?

boberito
Valued Contributor

@fviola ....maybe first try a fresh Catalina machine, no hidglobal. Then you'll know everything is kosher.

I dont know anything about their software but they may be disabling CTK. Sooo even if you remove prior to upgrading it may not work if it's disabled but not re-enabled. Most likely if they're disabling it's in the plist /Library/Preferences/com.apple.security.smartcard.plist.

After you've confirmed your card works happily in Catalina you can try removing before or after upgrading from Mojave to Catalina.

fviola
New Contributor II

@boberito Thanks. This is what I am going to do. I am going to image a Catalina system without installing the ActivID agent and see if I can pair the smartcard and make sure everything work great. If yes, then I know is the ActivID agent causing the issue so I need to figure out. Side note, I do have also a Configuration Profile with a Smart Card payload with ALLOW SMART CARD, ALLOW USER PAIRING, ONLY ALLOW ONE SMART CARD PER USER, CHECK CERTIFICATE AND SOFT REVOCATION, ENABLE SCREEN SAVER ON SMART CARD REMOVAL. I will let you know the outcome of the expirement.