To fully support smart card login, you can do either one of the following.
- Centrify Express For Mac Smart Card Login
- Centrify Express For Mac Smart Card
- Centrify Express For Mac Smart Card Application
What does the end of life (EOL) for Centrify Express products entail? As of May 1 st, 2019, Centrify Express for SaaS and Mobile, Centrify Express for Mac and Centrify Express for Mac Smart Card users are no longer eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Centrify. While I thought I had Centrify Express previously loaded, my Certs weren't showing up, so I re-installed CentrifyExpress. I could then set Identity Preferences for each site. However, it appears the card reader hangs up while trying to access. It appears the website has hung, but if I remove the card, it pops up the PIN entry dialog.
You can also use the following third-party smart card drivers with CAC and PIV cards. PKard for Mac v1.7 and v1.7.1; Charismathics (CCSI5.0.3PIV) Centrify Express; To use a third-party smart card driver, you must disable the CryptoTokenKit smart card driver. For more information, see Disabling the CryptoTokenKit Smart Card Driver. Mac users can log on to Microsoft Windows networks through DirectControl 4.2 from Centrify Corp., a provider of Active Directory-based access control and identity management solutions for non-Microsoft platforms. This newest offering for Mac OS X adds smart card-based login to Active Directory for single sign-on to Windows-integrated services and applications. Centrify leverages the PKI. For a single-user card, before enabling smart card support, make sure you do the following: Provision a smart card with an NT principal name and PIN. Refer to Supported smart card profiles to verify that the profiel on your smart card is supported by Centrify. Verify that the Active Directory Zone user’s UPN matches the UPN on the smart card.
- Configure a computer to require smart card login by enabling the Require smart card login group policy (Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require smart card login.) When you enable this policy, no one can log into a computer for which this policy applies with a user name and password but must insert a smart card, unless you create an exception group. An exception group is simply an Active Directory group that you create and add to this group policy to allow group members to log in, if necessary, with a user name and password. The purpose of creating an exception group is to allow users to temporarily log in if they do not have their smart card in hand.
Note: If you use set this policy, be certain that all users have their passwords set to never expire. Otherwise, if a password expires, a user may be unable to log in with a smart card and see a potentially confusing error message about changing their password. If you use the option to require smart card login for specific users, as explained in the next bullet, you can ignore password expiration.
Set an individual user’s account options to require login with a smart card, as shown in the following procedure. When you set this option, the user cannot interactively log in to a computer with a user name and password but must insert a smart card. Do not use this option if you want to allow specific users to log in temporarily with a user name and password in case they do not have their smart card with them. In this case, use the Require smart card login group policy and create and add an exception group.
To require smart-card login for a specific user:
- Open the Access Manager console or Active Directory Users and Computers.
- Select the user. For example, in the Access Manager console, open domainName > Zones > zoneName > Users > userName.
- Right-click the userName and select Properties.
- Select the Account tab.
- In Account options, scroll until Smart card is required for interactive logon is visible, then select it.
- Click OK.
ActivClient for Mac | CACKey | Centrify Express | CSSI | High Sierra built in Smart Card ability | Mojave built in Smart Card ability | OpenSC | PKard | Sierra built in Smart Card ability | Smart Card Services / Files to manually remove | How to Unpair your smart card
Click the word GO at the top of your main desktop, select Computer
If you don't see the word GO, click Finder (2 little faces) in the bottom left corner of screen
Go to: Walbro wj carb manual.
Hard disk / Library /
Delete 'CACKey' folder
Also follow this section to remove .tokend files
Run in Terminal.app:
sudo /usr/local/bin/opensc-uninstall
or
Go to:
Hard disk / Library /
Delete 'OpenSC' folder
Go to: Hard disk / Library / LaunchAgents /
Delete 'opensc-notify.plist'
Also follow this section to remove .tokend files
Go to:
Hard disk / Library / Application Support /
Delete 'CSSi' folder
Also follow this section to remove .tokend files
Go to:
Hard disk / Library / Application Support / PKard
Run the PKard Uninstall program, select 'Uninstall PKard'
Centrify Express For Mac Smart Card Login
Click 'Uninstall'
You also need to modify a system file that Thursby changed. This does not happen automatically when running the Uninstall option listed above.
1. Remove your CAC from the reader
2. Ps4 macro for mac. Open Terminal, by typing Terminal in the spotlight search
3. Copy the entire command below [starting with sudo, and ending with ~/] and paste it into the terminal window (or manually retype it)
sudo mv /Library/Preferences/com.apple.security.smartcard.plist ~/.Trash/
4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process.
5. Logout of Terminal,
6. Restart computer
Centrify Express For Mac Smart Card
Information provided from: https://www.thursby.com/forum/viewtopic.php?t=3394
Also follow this section to remove .tokend files
Centrify Express For Mac Smart Card Application
. Go to: Hard disk / Applications / Utilities / Centrify / Double click: SmartCardTool or SmartCardAssist Select 'Uninstall' from the Centrify Express for Smart Card window Also follow this section to remove .tokend files . How to Remove ActivClient for Mac Go to: Hard disk / Applications / Utilities Double click: ActivID ActivClient for Mac Uninstaller Select 'Uninstall' from the ActivID ActivClient for Mac Uninstaller screen ActivClient for Mac users must also remove the 'acpkcs220.dylib' file Mac OS X 10.5.x - Mac OS X 10.10.x, 10.11.x - 10.15.x users look below Go to: Hard disk / System / Library / Security / tokend / Delete 'BELPIC.tokend', 'CAC.tokend', 'CACNG.tokend', 'CSSI.tokend', 'OpenSC.tokend', 'JPKI.tokend', 'ac.ac4mac.token', 'PIV.tokend', and / or 'PKCS11.tokend' files Sometimes a few other files need to be removed, they are found in: Hard disk / System / Library / Security / tokend /uiplugins /Delete 'BELPICViewerPlugin.bundle', 'CACViewerPlugin.bundle', and / or 'PIVViewerPlugin.bundle' files NOTE: If you can't delete them, skip them and follow next step. Mac OS X 10.11.x through 10.15.x systems Go to: Hard disk / Library / Security / tokend / Sims 4 first love mod. Delete 'BELPIC.tokend', 'CAC.tokend', 'CACNG.tokend', 'CSSI.tokend', 'OpenSC.tokend', 'JPKI.tokend', 'PIV.tokend', and / or 'PKCS11.tokend' files Go to: Hard disk / Library / Frameworks / ac.ac4mac.pkcs11.framework / Versions / Current / Libraries/ Delete 'acpkcs220.dylib' DO NOT DISABLE on 10.15.x, there is NO alternative NOTE: Mojave, High Sierra, and Sierra have a 'built in Smart Card ability' that works for 'some' people 'some' of the time. To use your CAC 'more consistently' I recommend you install a 3rd party CAC enabler, such as CACKey or PKard. This section shows you how to disable the built in smart card ability found on Mojave, High Sierra, and Sierra.
1. Remove your CAC from the reader 2. Open Terminal, by typing Terminal in the spotlight search 3. Copy the command below [starting with sudo, and ending with pivtoken] and paste it into the terminal window (or manually retype it) sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken 3a. I recommend you run this command twice. 4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process. 5. After that it should be disabled. Logout of Terminal, restart computer, and try again NOTE3: If you have recently updated to Mac OS Catalina (10.15.x) or Mac OS Big Sur (11.00.x), you need to re-enable the built in Smart Card ability after removing all installed enablers listed above: 1. Remove your CAC from the reader 2. Open Terminal, by typing Terminal in the spotlight search 3. Copy the entire command below [starting with sudo, and ending with pivtoken] and paste it into the terminal window (or manually retype it) sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array && sudo defaults write /Library/Preferences/com.apple.security.smartcard EnabledTokens -array com.apple.CryptoTokenKit.pivtoken 3a. I recommend you run this command twice. 4. When prompted for your computer password, know that the cursor will not move, type it in, and hit enter to process. 5. After performing these steps, the built in smart card ability should be enabled. 6. Logout of Terminal, 7. Restart computer 8. When prompted to Pair your Smart Card with your computer, you can select Pair, or Cancel. If you elect to pair, you will have an additional option to utilize your CAC and PIN to access your computer [when the CAC is in the reader]. If the CAC is not in the reader, you can still use your fingerprint, or username/password option. How to UNPAIR your smart card 1. Remove your CAC from the reader 2. Open Terminal, by typing Terminal in the spotlight search. 3. Type: sc_auth list 4. Copy the hash, which will be 40 characters comprising of numbers and letters, paste it in place of the [hash] in the command below 5. Type: sc_auth unpair -h [hash] Instructions found at: https://support.yubico.com/support/solutions/articles/15000006468-using-your-yubikey-as-a-smart-card-in-macos |