Configure a Mac for smart card–only authentication
macOS supports smart card–only authentication for the mandatory use of a smart card, which disables all password-based authentication. This policy is established across all Mac computers, and can be changed on a per-user basis using an exemption group, in the event that a user doesn’t have a working smart card available.
Smart card–only authentication using machine based enforcement
A Mac with macOS 10.13.2 or later supports smart card–only authentication for the mandatory use of a smart card, which disables all password-based authentication and is often called machine based enforcement. To leverage this feature, mandatory smart card enforcement must be established using a mobile device management (MDM) solution or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueFor additional instructions on configuring macOS for smart card–only authentication, see the Apple Support article Configure macOS for smart card-only authentication.
Smart card–only authentication using user based enforcement
User based enforcement is accomplished by specifying a user group that’s exempted from smart card login. NotEnforcedGroup contains a string value that defines the name of a local or Directory group that won’t be included in mandatory smart card enforcement. This is sometimes referred to as user based enforcement and provides per-user granularity to smart card services. To leverage this feature, machine based enforcement must first be established using a mobile device management (MDM) solution or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueIn addition, the system must be configured to allow users who aren’t paired with a smart card to log in with their password:
sudo defaults write /Library/Preferences/com.apple.security.smartcard allowUnmappedUsers -int 1Use the example /private/etc/SmartcardLogin.plist file below as guidance. Use EXEMPT_GROUP for the name of the group used for exemptions. Any user you add to this group is exempt from smart card login, as long as they’re a specified member of the group or the group itself is specified for exemption. Verify that the ownership is root and that permissions are set to “world readable” after editing.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AttributeMapping</key> <dict> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> </dict> <key>NotEnforcedGroup</key> <string>EXEMPT_GROUP</string></dict></plist>