Prepare for smart card changes in macOS Catalina

Learn how to prepare your institution for smart card changes in macOS Catalina 10.15.

This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.

macOS includes a modern architecture that supports smart cards. This architecture is based on the CryptoTokenKit framework, which supports authentication, encryption, and signing functions, plus MDM controls for managing smart cards within Enterprise environments. Starting with macOS Catalina, legacy smart card support that uses TokenD will be disabled by default.

Before you upgrade to macOS Catalina

If you want to migrate from legacy TokenD to modern CryptoTokenKit-based smart card services after upgrading to macOS Catalina, follow these steps:

1. Make sure that any third-party apps that you use support CryptoTokenKit.

2. Verify that com.apple.CryptoTokenKit.pivtoken doesn't appear in the output of this Terminal command:

defaults read /Library/Preferences/com.apple.security.smartcard DisabledTokens

If it does, you can remove the PIV token from the DisabledTokens array by deleting the entire array:

defaults delete /Library/Preferences/com.apple.security.smartcard DisabledTokens

3. If you've installed a driver that relies on TokenD, use the developer's instructions to uninstall it.

If you have any issues using your smart card after upgrading to macOS Catalina, pair the card again. For additional instructions on configuring smart card services, see the macOS Deployment reference and the SmartCardServices(7) man page.

Published Date: