Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
- 
        
        - 
        
        - Declarative status reports
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari browsing management declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
 
- 
        
        
- 
        
        - Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
 
 
- 
        
        
- Glossary
- Document revision history
- Copyright and trademarks

Configure a Mac for smart card–only authentication
macOS supports smart card–only authentication for the mandatory use of a smart card, which disables all password-based authentication. This policy is established across all Mac computers, and can be changed on a per-user basis using an exemption group, in the event that a user doesn’t have a working smart card available.
Smart card–only authentication with machine-based enforcement
A Mac with macOS 10.13.2 or later supports smart card–only authentication for the mandatory use of a smart card, which disables all password-based authentication and is often called machine-based enforcement. To leverage this feature, you need to establish mandatory smart card enforcement using a device management service or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueFor additional instructions on configuring macOS for smart card–only authentication, see the Apple Support article Configure macOS for smart card-only authentication.
Smart card–only authentication with user-based enforcement
You implement user-based enforcement by specifying a user group that you exempt from smart card login. NotEnforcedGroup contains a string value that defines the name of a local or Directory group that you don’t include in mandatory smart card enforcement. This provides per-user granularity to smart card services. To leverage this feature, you first need to establish machine-based enforcement using a device management service or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueIn addition, the system needs to be configured to allow users who aren’t paired with a smart card to log in with their password:
sudo defaults write /Library/Preferences/com.apple.security.smartcard allowUnmappedUsers -int 1Use the example /private/etc/SmartcardLogin.plist file below as guidance. Use EXEMPT_GROUP for the name of the group used for exemptions. Any user you add to this group is exempt from smart card login, as long as they’re a specified member of the group or the group itself is specified for exemption. Verify that the ownership is root and that permissions are set to “world readable” after editing.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>     <key>AttributeMapping</key>     <dict>          <key>dsAttributeString</key>          <string>dsAttrTypeStandard:AltSecurityIdentities</string>          <key>fields</key>          <array>                <string>NT Principal Name</string>          </array>          <key>formatString</key>          <string>Kerberos:$1</string>     </dict>     <key>NotEnforcedGroup</key>     <string>EXEMPT_GROUP</string></dict></plist>