The Smart Card profile controls the restrictions and settings for the Smart card pairing on macOS 10.12.4 and later devices.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add Profile. Select Apple macOS, and then select the type of profile to apply either to the enrollment user on the device (User Profile), or to the entire device (Device Profile).
  2. Configure the profile's General settings.
  3. Select the SmartCard payload from the list.
  4. Configure the Smart Card settings:
    Setting Description
    Allow Smart Card authentication Enable the option to use the Smart Card for logins, authorizations, and screensaver unlocking. If disabled, Smart Card cannot be used for logins, authorizations, or screensaver unlocking, but can be still used for signing emails and web access.

    After assigning the profile, the user must restart the device for the change in the settings to take effect.

    Require Smart Card for all authentication Enable the option to allow the user to log in or authenticate only with a Smart Card.
    Show user pairing dialog Enable the option to allow the user to view the pairing dialog box to add new Smart Cards. If disabled, the user cannot view the pairing dialog box, although existing pairings still work.
    Restrict one card per user Enable the option to allow the user to pair with only one Smart Card, although existing pairings are allowed if already set up.
    Certificate trust check validation Enable the option to perform a standard certificate trust validity check without any additional revocation checks.
    Additional revocation check

    By default, the Additional revocation check is disabled. If enabled, the standard certificate trust validity check is performed with the additional revocation check. The available additional revocation check types are:

    • Soft - If selected, the certificate trust check is turned on with a soft revocation check. The certificate is considered as valid until the CRL/OCSP explicitly rejects it. Soft revocation check implies that unavailable or unreachable CRL/OCSP allows the check to succeed.
    • Hard - If selected, the certificate trust check is turned on with a hard revocation check. The certificate is considered as invalid unless CRL/OCSP explicitly says this certificate is OK. Hard revocation check is the most secure option.
    Screen saver on Smart Card removal Enable the option to activate the Screen saver on the Smart Card removal.