Information
Smartcard authentication _MUST_ be enforced.
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
When enforceSmartCard is set to "true", the smartcard must be used for login, authorization, and unlocking the screensaver.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement.
NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work.
Solution
This is implemented by a Configuration Profile.
mobileconfig profile info:
com.apple.security.smartcard:
enforceSmartCard:
True
Item Details
Category: IDENTIFICATION AND AUTHENTICATION, MAINTENANCE
References: 800-53|IA-2, 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(6), 800-53|IA-2(8), 800-53|IA-2(11), 800-53|IA-2(12), 800-53|IA-5(2), 800-53|IA-5(2)(c), 800-53|MA-4c., CCE|CCE-84727-7, CCI|CCI-000187, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, CCI|CCI-000877, CCI|CCI-001948, STIG-ID|AOSX-15-003020
Control ID: 1da1d289240e0ef765f358b7180bd9b416ae6675db315cb86cca17639d9ea372