Supported smart card functions on Mac
macOS 10.15 or later includes built-in support for the following capabilities:
Authentication: LoginWindow, PKINIT, SSH, Screensaver, Safari, authorization dialogs, and in third-party apps supporting CryptoTokenKit
Signing: Mail and third-party apps supporting CryptoTokenKit
Encryption: Mail, Keychain Access, and third-party apps supporting CryptoTokenKit
Note: If your organization has been using third-party software earlier than macOS 10.15, keep in mind that legacy tokend support has been disabled and solutions based on tokend are no longer available.
PIV card provisioning
To use smart cards with macOS, appropriate certificates must be populated into Slot 9a (PIV Authentication) and 9d (Key Management). Optionally, a certificate should be provisioned into slot 9c (Digital Signing) if functions such as email or document signing are necessary.
When using attribute matching (discussed below) with Active Directory, the NT Principal Name in the PIV Authentication certificate and value stored in ActiveDirectory attribute dsAttrTypeStandard:AltSecurityIdentities must match with case sensitivity.
Authentication
Smart cards can be used for two-factor authentication. The two factors include “something-you-have” (the card) and “something-you-know” (the PIN) to unlock the card. macOS 10.12.4 or later includes native support for smart card and login authentication, and client certificate-based authentication to websites using Safari. macOS also supports Kerberos authentication using key pairs (PKINIT) for single sign-on to Kerberos-supported services.
Note: Make sure the smart card is properly provisioned with both a certificate authorization and a key for encryption, if used for system login. The encryption key is used to wrap the keychain password; lack of an encryption key causes repeated keychain prompts.
Digital signing and encryption
In the Mail app, the user can send messages that are digitally signed and encrypted. Usage of the feature requires a case-sensitive email address subject or subject alternative names on digital signing and encryption certificates which are on attached PIV tokens in compatible smart cards. If a configured email account matches an email address on a digital signing or encryption certificate on an attached PIV token, Mail automatically displays the email signing button in a new message toolbar. A locked lock icon indicates that the message is sent encrypted with the recipient’s public key.
Keychain wrapping
For account login, the presence of an encryption key—also known as a key management key—is required for the keychain password wrapping feature to function. Lack of a key management key results in the user being repeatedly prompted for the login keychain password throughout the login session, creating a poor user experience. Additionally, this use of a password may be a concern in smart card mandatory environments. If a key management key is present when the user logs in with a smart card, the keychain experience is similar to password-based login in that the user is not prompted repeatedly for the login keychain password.
Smart Card payload
The Smart Card payload on the Apple Developer website contains support information for mobile device management (MDM) of smart cards. Smart card support includes the ability to allow smart cards, enforce smart cards, allow one smart card pairing per user, certificate trust checking, and token removal action (screen saver lock).
Note: MDM vendors can choose to implement the Smart Card payload. To learn if the Smart Card payload is supported, consult your MDM vendor’s documentation.