addictple.blogg.se - Cac card reader for macbook pro

The person completing this process has administrative privileges on the macOS device.This playbook also provides guidance on the different models that can be used to link domain accounts to PIV certificate attributes.Įnsure the following prerequisites are complete or ready: Most departments and agencies already maintain processes to map PIV attributes to Active Directory domain accounts. See this Apple Platform Deployment guide for more information on local account pairing.

Insert the PIV and provide the PIN to log back in.

The user will need administrative access to complete the process.

A series of prompts direct the user to pair the PIV card to the local account.

Insert the PIV card into a card reader connected to the macOS device.

Local Account Pairing is a user-prompted process. Additional details on Windows authentication enforcement models can be found here.

This Apple Platform Deployment guide provides some additional detail on MBE vs. User-Based Enforcement (UBE): This implementation creates an exception to smart card-only authentication for specific users or groups of users (e.g., network admins, device admins, and individuals waived from smart card requirements).Machine-Based Enforcement (MBE): This implementation removes the option for password-based authentication in favor of smart card-only authentication for any account accessible by the macOS device (local or network).This method involves creating a plist configuration file and disabling local pairing on the macOS device.Īgencies may additionally choose a machine or user-based enforcement which disables all password-based authentication. Windows Domain User Account - For a windows domain-joined device, an agency can map smart card attributes to an Active Directory account.No domain or Kerberos architecture is needed.

This method pairs a smart card to the local macOS user account and requires its use for desktop authentication. Local Account Pairing - For a non-domain joined macOS account, an agency may enable local account pairing.Choose an Authentication OptionĪgencies have two options to enforce smart card authentication in macOS. Digitally Sign Federal Register DocumentĮnablement of mandatory smart card login for all Mac workstations and laptops within your environment will help align to the NIST SP 800-53 Identification and Authentication family of controls to support FISMA compliance.Phishing-Resistant Authenticators (Coming Soon).