Contents

SmartCard

The payload that configures a smart card.

Declaration

object SmartCard

Properties

NameTypeDescription
allowSmartCardboolean

If false, the system disables smart cards for logins, authorizations, and screen saver unlocking. It is still allowed for other functions, such as signing emails and accessing the web. A restart is required for a setting change to take effect.

checkCertificateTrustinteger

Configures the certificate trust check and has one of the following possible values:

  • 0: Turns off certificate trust check.

  • 1: Turns on certificate trust check. A standard validity check is performed but doesn’t include additional revocation checks.

  • 2: Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it’s considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed.

  • 3: Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says “This certificate is OK,” it’s considered invalid. This option is the most secure.

enforceSmartCardboolean

If true, a user can only log in or authenticate with a smart card. Available in macOS 10.13.2 and later.

oneCardPerUserboolean

If true, a user can pair with only one smart card, although existing pairings are allowed if already set up.

tokenRemovalActioninteger

If 1, the system enables the screen saver when the smart card is removed. Available in macOS 10.13.4 and later.

UserPairingboolean

If false, users don’t get the pairing dialog, although existing pairings still work.

Discussion

Specify com.apple.security.smartcard as the payload type.

Profile availability

Device channel

macOS

User channel

NA

Allow manual install

macOS

Requires supervision

NA

Requires user-approved MDM

NA

Allowed in user enrollment

NA

Allow multiple payloads

NA

Profile example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>UserPairing</key>
            <false/>
            <key>allowSmartCard</key>
            <false/>
            <key>checkCertificateTrust</key>
            <false/>
            <key>oneCardPerUser</key>
            <false/>
            <key>tokenRemovalAction</key>
            <integer>1</integer>
            <key>enforceSmartCard</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.example.mysmartcardpayload</string>
            <key>PayloadType</key>
            <string>com.apple.security.smartcard</string>
            <key>PayloadUUID</key>
            <string>88f7336c-d9f6-44d1-b486-11e4080e2223</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>SmartCard</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>85091214-a32f-4131-8b03-0045e5d81c42</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

See Also

Security