Further OS hardening
There’s a couple other options we can set to further improve OS security with regards to using Smart Cards and these can be found in System Preferences, in the Security & Privacy pane.
First is to set Require password immediately so that you are always prompted to authenticate from the screensaver or from sleep. The second setting is found by clicking the padlock, then the Advanced button and it’s the tick box marked Turn on screen saver when login token is removed. This is shown below.
It’s worth noting this option only appears after a smart card device has been paired to a macOS user. The combination of those two settings will cause your Mac to automatically lock and immediately require the password (and only from the Smart Card!) before letting you back in.
FileVault Configuration (Hard Drive Encryption)
By default, when a user enters their password to decrypt the FileVault disk at boot, this password will be passed through and a smart card will not be used for login. To change this so that the user will not automatically be logged in and will be shown the login screen, run the command below in Terminal.
$ sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
In our Research "Only when the DisableFDEAutoLogin value was configured to YES" we were able to activate the Screensaver when a Smart Card is removed from the AirID
Final Words
That neatly locks your Mac to only allow authentication from the PIN on your Smart Card for login and screensaver. A lot of this stuff is provided for information, and at some point I’ll probably think of a script or two to automate most of this. However this should be enough to get you all going for now.
Oh and don’t forget to backup your system before starting! 