Posted on 01-31-2020 09:04 AM
I manage a government enterprise network with many Mac laptops. We are required to enforce smart card logins only for all users. All of our users are Active Directory with mobile accounts. We have previously accomplished this using Centrify, however tokend is now dead so we are forced to use the Native Smart Card functionality in Catalina. Unfortunately, the built in functionality for this falls short in that there does not seem to be a way to get a Kerberos ticket with a smart card in the same way that Centrify provided with the sctool command. While the system will grant a ticket upon login with the correct SmartcardLogin.plist in place, you can not renew the ticket after expiration. Previously, doing a screen lock and unlocking would renew the ticket. This is not the case with the native smart card support in Catalina. The user would have to log out and back in to get a new Kerberos ticket. It's also a problem for VPN in that they have no ticket to access resources once they are connected. The solution I have for this is to use enforce a Smart Card login via a User Level configuration on JAMF and then allow a password on the AD account whereby they could run a kinit command from the terminal to get a ticket. The problem is that this user-level policy does not seem to work at the actual Mac login screen. I can still login with a password even with this configuration profile set. If I try to unlock a screen with a password after already logging in, it will deny me with a message that the smart card is required. So it appears to work on the lock screen but not the actual login screen. I've verified that the profile is indeed installed for the user with those settings. This configuration profile works via the Computer level, but that is problematic as it sets the smart card enforcement for all accounts, including the local admin account. That is something that we do not want. I'm at a dead end. Any ideas are appreciated.
Posted on 01-31-2020 10:17 AM
Have you looked at deploying the SSO extension with Catalina? Where it has some issues we've ran into and submitted tickets to Apple. It seems to help more reliably get kerberos tickets and in fact when a user connects to VPN they'll get a pop up to login to the SSO extension that gets them a kerberos ticket. It's one of the best uses of it. And you can have it be configured for smartcard login, not username/password.
And have you reached out to Apple, either the government system engineers, applecare support, or submitted feedback(since it's a bug)? They may be able to help you.
Posted on 01-31-2020 12:42 PM
Thanks very much. I did receive an email from an Apple Engineer, Jamie Richardson with this suggestion. I'll give it a go and update this post with my results.
Posted on 01-31-2020 08:31 PM
Hopefully it works and solves the issue. Find me on the Mac admins slack. There’s a number of us gov smartcard ad bound sufferers. My username on there is the same as here.
Posted on 02-03-2020 02:36 PM
Unfortunately, the kerberos-sso extension did not solve my problem. I have no way of invoking the SSO extension to renew a ticket. With a test account, I was able to pair a Smartcard with a local user and using the SSO, I could pair that to an AD account which will give me a kerberos ticket upon initial login. That's great, except that when my ticket expires, I have no way of renewing it as unlocking the screen does not invoke the SSO extension nor renew my ticket. I need this ability with a smartcard, whether that's with unlocking a screen or on a terminal with either a kinit or sctool (centrify) command. I'm hitting dead end after dead end. I'm not hopeful. Also, this doesn't really address my original problem in this post which is why the user-level profile doesn't force smart card logins only at the intitial login screen. If I could only have that one little piece working, then I'd be able to enforce my smartcard requirements.
Posted on 02-04-2020 05:55 AM
user-level profiles are only user level. So it won't enforce system level(login window).