SmartCard, FileVault2, and M1 Silicon MacBooks... Oh my..

R_C
Contributor

I have a fun situation.

M1 macBook Pro, Enrolled into JAMF, with a 5 day deadline for Pairing a SmartCard before automatic enforcement kicks in.

The intel macBooks haven't been an issue, since once enforcement kicks in, the user can still login to FV2 using their PW and then the machine can get policies from JAMF. (Removing the configuration profile if we so choose)

The M1 macBooks appear to finally support SmartCard login at the FV2 screen, the problem with this is that we cannot use a PW or the Recovery Key from JAMF to bypass this screen. As the macBook doesn't have network connectivity while at the FV2 login screen, we cannot remove the config profile.

We tried booting into Recovery, unlocking the disk, opening terminal, and removing the folders below with no luck. 

/private/var/db/ConfigurationProfiles
/Library/Managed Preferences
 
Any suggestions? I both love and hate the FV2 support for SmartCard as it greatly simplifies login, but now means that getting past recovery has become significantly more difficult.
Also, we do have another local account on the machine for backdoor purposes, which is exempt from requiring a SmartCard.... but it's not FV2 enabled.
 
2 ACCEPTED SOLUTIONS

R_C
Contributor

Excerpt from the macOS Security Compliance Project regarding SmartCard Bypass on M1...

https://github.com/usnistgov/macos_security/blob/main/rules/supplemental/supplemental_smartcard.yaml


===== Temporary Exemption
On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only.
Run the following command to set the temporary exemption when booted from Recovery:
[source,bash]
----
/usr/bin/security filevault skip-sc-enforcement <data volume UUID> set
----

To obtain the `data volume UUID` run the following:
[source,bash]
----
/usr/sbin/diskutil apfs listGroups | /usr/bin/awk -F: '/ Data/ { getline; gsub(/ /,""); print $2}'
----

View solution in original post

R_C
Contributor

Got another easier solution, tested and confirmed working.

To bypass FV2 on Silicon macBook with SmartCard Enforcement enabled...

1. Boot up Silicon macBook normally
2. Press Option Shift Return and you will be prompted for Personal Recovery Key
3. Enter the Personal Recovery Key and proceed.
macBook will now authenticate past the FV2 screen, allowing network communication with MDM. You may also login using SmartCard Excluded account which wasn't FV2 enabled (no SmartToken).

View solution in original post

5 REPLIES 5

user-sCWTLzSiNn
New Contributor II

EDIT:

I kept going with Apple Support and this fixed our problem. Our local admin account is now able to login without requiring smartcard and domain accounts do require smartcard.

sudo defaults write /Library/Preferences/com.apple.security.smartcard allowUnmappedUsers -int 1

 

 

 

The TL;DR is it's not supported at this time.

 

My situation is a little different, but I think same problem. We also use FileVault and smartcards. We need smartcards enforced for our domain users, but still allow our local admin account to login with password only. I ran this up the chain at Apple. Here is their reply:

 

...I’d like to already inform you that the behaviour of Apple Silicon and Intel is completely different and that there are a few things that will not work on Apple Silicon that did work on Intel. 

In short, what you want isn’t possible on Apple Silicon. Intel systems use EFI which is firmware and has its own process to complete before the macOS Kernel starts. In FVUnlock on Apple silicon iBoot boots up and starts a macOS kernel that acts the same as macOS. What you're seeing at FileVault on Apple silicon is the macOS login pulled forward to the FileVault unlock screen. There is not a way to de-couple these.

Ive tried that config but no luck on my end. How are you enforcing smartcard login?

merps
Contributor III

In the process of validating this now, but I'm thinking that using the NotEnforcedGroup key inside /etc/SmartcardLogin.plist should be acceptable to bypass smartcard at filevault, same as it does at the login window.

We did create a new group and added our local admin into this group, solely for the purpose of local logon.

 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AttributeMapping</key>
    <dict>
         <key>dsAttributeString</key>
         <string>dsAttrTypeStandard:AltSecurityIdentities</string>
         <key>fields</key>
         <array>
             <string>NT Principal Name</string>
         </array>
         <key>formatString</key>
         <string>Kerberos:$1</string>
    </dict>
    <key>NotEnforcedGroup</key>
    <string>name_of_local_admin_group</string>
</dict>
</plist>

 

 

R_C
Contributor

Excerpt from the macOS Security Compliance Project regarding SmartCard Bypass on M1...

https://github.com/usnistgov/macos_security/blob/main/rules/supplemental/supplemental_smartcard.yaml


===== Temporary Exemption
On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only.
Run the following command to set the temporary exemption when booted from Recovery:
[source,bash]
----
/usr/bin/security filevault skip-sc-enforcement <data volume UUID> set
----

To obtain the `data volume UUID` run the following:
[source,bash]
----
/usr/sbin/diskutil apfs listGroups | /usr/bin/awk -F: '/ Data/ { getline; gsub(/ /,""); print $2}'
----

R_C
Contributor

Got another easier solution, tested and confirmed working.

To bypass FV2 on Silicon macBook with SmartCard Enforcement enabled...

1. Boot up Silicon macBook normally
2. Press Option Shift Return and you will be prompted for Personal Recovery Key
3. Enter the Personal Recovery Key and proceed.
macBook will now authenticate past the FV2 screen, allowing network communication with MDM. You may also login using SmartCard Excluded account which wasn't FV2 enabled (no SmartToken).