Further OS hardening
There’s a couple other options we can set to further improve OS security , with regards to using Smart Cards and these can be found in System Preferences, in the Security & Privacy pane.
...
It’s worth noting this option only appears after a smart card device has been paired to a macOS user. The combination of those two settings will cause your Mac to automatically lock and immediately require the password (and only from the Smart Card!) before letting you back in.
FileVault Configuration (Hard Drive Encryption)
By default, when a user enters their password to decrypt the FileVault disk at boot, this password will be passed through and a smart card will not be used for login. To change this so that the user will not automatically be logged in and will be shown the login screen, run the command below in Terminal.
| Code Block |
|---|
$ sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES |
| Note |
|---|
In our Research "Only when the DisableFDEAutoLogin value was configured to YES" we were able to activate the Screensaver when a Smart Card is removed from the AirID |
Final Words
That neatly locks your Mac to only allow authentication from the PIN on your Smart Card for login and screensaver. A lot of this stuff is provided for information, and at some point I’ll probably think of a script or two to automate most of this. However this should be enough to get you all going for now.
...