Configure a Mac for smart card–only authentication
macOS supports smart card–only authentication for the mandatory use of a smart card, which stops all password-based authentication. This policy is established across all Mac computers, and can be changed on a per-user basis using an exemption group, in the event that a user doesn’t have a working smart card available.
Smart card–only authentication with machine-based enforcement
A Mac with macOS 10.13.2 or later supports smart card–only authentication for the mandatory use of a smart card, which stops all password-based authentication and is often called machine-based enforcement. To leverage this feature, you need to establish mandatory smart card enforcement using a device management service or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueFor additional instructions on configuring macOS for smart card–only authentication, see the Apple Support article Configure macOS for smart card-only authentication.
Smart card–only authentication with user-based enforcement
You implement user-based enforcement by specifying a user group that you exempt from smart card login. NotEnforcedGroup contains a string value that defines the name of a local or Directory group that you don’t include in mandatory smart card enforcement. This provides per-user granularity to smart card services. To leverage this feature, you first need to establish machine-based enforcement using a device management service or by using the following command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool trueIn addition, the system needs to be configured to allow users who aren’t paired with a smart card to log in with their password:
sudo defaults write /Library/Preferences/com.apple.security.smartcard allowUnmappedUsers -int 1Use the example /private/etc/SmartcardLogin.plist file below as guidance. Use EXEMPT_GROUP for the name of the group used for exemptions. Any user you add to this group is exempt from smart card login, as long as they’re a specified member of the group or the group itself is specified for exemption. Verify that the ownership is root and that permissions are set to “world readable” after editing.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AttributeMapping</key> <dict> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> </dict> <key>NotEnforcedGroup</key> <string>EXEMPT_GROUP</string></dict></plist>