Intro to smart card integration
macOS 10.15 includes native support for personal identity verification (PIV) smart cards, USB CCID class-compliant readers, and hard tokens that support the PIV standard. PIV is an open standard widely used in commercial and government organisations for two-factor authentication, digital signing and encryption. The built-in support for smart cards in macOS is based on a modern framework called CryptoTokenKit (CTK) that enables smart cards support without any additional software.
Developers interested in CTK to support smart cards can find CryptoTokenKit information on the Apple Developer website.
Supported smart card functions in macOS 10.15
macOS 10.15 includes built-in support for the following capabilities:
Authentication: LoginWindow, PKINIT, SSH, Screensaver, Safari, authorisation dialogs and in third-party apps supporting CTK
Signing: Mail and third-party apps supporting CTK
Encryption: Mail, Keychain Access and third-party apps supporting CTK
Note: If an organisation was using third-party software before macOS 10.15, legacy tokend support has been disabled and solutions based on tokend are no longer available. See the Apple Support article Prepare for smart card changes in macOS Catalina.
Smart cards can be used for two-factor authentication. The two factors include “something-you-have” (the card) and “something-you-know” (the PIN) to unlock the card. macOS 10.12.4 or later includes native support for smart card and login authentication, and client certificate based authentication to websites using Safari. macOS also supports Kerberos authentication using key pairs (PKINIT) for single sign-on to Kerberos supported services.
Note: Make sure the smart card is properly provisioned with both a certificate authorisation and one for encryption (KMK), if used for System login. The encryption key is used to wrap the keychain password, and lack of an encryption key causes repeated keychain prompts.
Digital signing and encryption
In the Mail app, the user can send messages that are digitally signed and encrypted. Usage of the feature requires case-sensitive email address subject or subject alternative names on digital signing and encryption certificates on attached PIV tokens in compatible Smart cards. If a configured email account matches an email address on a digital signing or encryption certificate on an attached PIV token, Mail automatically displays the email signing button in a new message toolbar. A locked lock icon indicates that the message will be sent encrypted with the recipient’s public key.
For account login, the presence of a encryption key — also known as a key management key (KMK) — is required for the keychain password wrapping feature to function. Lack of a KMK results in the user being repeatedly prompted for the password for the login keychain. If a KMK is used, when the user logs in via smart card, they won’t be prompted to unlock the keychain and the experience is similar to password-based login.
Smart Card payload
The Apple Configuration Profile Reference contains support information for mobile device management (MDM) of smart cards. Some MDM solutions may natively support the Smart Card payload and all can deploy custom configuration profiles. Smart card support includes the ability to allow smart cards, enforce smart cards, allow one smart card pairing per user, certificate trust checking, and token removal action (screensaver lock).
Some mobile device management (MDM) solutions may support the Smart Card payload. To view the payload settings, see Smart Card payload settings.