Page History

1) Activating the screen saver when smart card will be removed

There’s a couple of options we can use to further improve OS security with regards to using Smart Cards and these can be found in System Preferences, in the Security & Privacy pane.

Image Modified

First is to set Require password immediately so that you are always prompted to authenticate from the screensaver or from sleep. The second setting is found by clicking the padlock, then the Advanced button and it’s the tick box marked Turn on screen saver when login token is removed. This is shown below.

Image Modified

It’s worth noting this option only appears after a smart card device has been paired to a macOS user. The combination of those two settings will cause your Mac to automatically lock and immediately require the password (and only from the Smart Card!) before letting you back in.

2) Disable FileVault2 (Hard Drive Encryption) password passthrough configuration 

By default, when a user enters their password to decrypt the FileVault disk at boot, this password will be passed through and a smart card will not be used for login. To enable smart card log-in, this shall be changed to that FileVault2 will accept users password, but thereafter the smart card will be required to log into the MacOS.

For this change the following command will be required to be issued by a user with system administrator privilege in a TERMINAL session: 

$ sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

Final Words

That neatly locks your Mac to only allow authentication from the PIN on your Smart Card for login and screensaver. A lot of this stuff is provided for information, and at some point I’ll probably think of a script or two to automate most of this. However this should be enough to get you all going for now.