Sierra changes the storage location of keychain passwords in the Secure Integrity Protection (SIP) area of the operating system, which makes it impossible to assign a user a randomized temporary password that can be replaced by a user’s PIV card pin when you re-enable enforcement. When you implement Smart Card enforcement for a user, the system changes the way passwords are handled in the Sierra OS keychain. This version of the Playbook does not cover methods to temporarily un-enforce and re-enforce a PIV-enabled user. Known Risks / Issues Risk 1: Issues Temporarily Un-enforcing and Re-enforcing a PIV-enabled User
#SCR3310 CAC CARD READER FOR MAC INSTALL#
You should perform smart Card pairing on a user’s first login - we recommend pairing the account immediately after imaging, during the initial system setup session with the user.įor systems using Yosemite OS, we recommend a clean install followed by a manual transfer of user home folder data, because Yosemite OS’ built-in smart card enforcement mechanisms are not compatible with Sierra OS’ Secure Integrity Protection protocols. The next time the user logs in, they will be prompted for their PIN, and they system will replace the current keychain password. The process should be complete as soon as you click “Pair”.The system will prompt for an elevated user to authorize the pairing of the PIV Certificate to the user’s account.Select the certificate for PIV Authentication in the drop-down menu.A dialog box should pop up when you insert the user’s smart card.Make sure the smart card reader is plugged into a USB port.
Pair the User’s Smart Card to their Account
Create a Managed Mobile profile for the user, and have them set an account password.
#SCR3310 CAC CARD READER FOR MAC FOR MAC OS#
It is not meant for Mac OS versions earlier than 10.12.3.