Skip to main content

Tips from NASA on how to manage Smart Cards with Jamf Pro

Imagine starting a job with no knowledge whatsoever about Smart Cards or what HSPD-12 means... a situation presenter Allen Golbig of NASA found himself in a little over a year ago!

Well, Golbig sure learns fast, and he’s eager to help others that may have found themselves in the same predicament. In today’s Jamf Nation User Conference (JNUC) session, Golbig dove into what he’s learned about Smart Card support built into macOS, and how to manage Smart Cards using Jamf Pro.

Golbig touched upon Personal Identification Verification (PIV) Mandatory and where the industry is at in terms of enforcement. Machine-based enforcement, where a user is required to use their PIV to authenticate to each device and is managed by mobile device management (MDM), is where NASA is now. However, they’re goal is to head towards user-based enforcement where a user’s network password is removed from their account and managed by MDM and Directory Services.

Local Pairing vs Attribute Mapping

Golbig then talked through the two ways one can associate a Smart Card with a Mac — local pairing (also known as Fixed Key Mapping) versus attribute mapping. Golbig explained how when NASA first started looking into using Apple’s built-in tools, they started with local pairing using sc_auth. There were some downfalls, such as it requires admin rights. Golbig’s team then decided to move to attribute mapping, which works by matching certificate field values with a user’s local record. Cards get lost, stolen, expire, and with attribute mapping, as long as the UPN is consistent across cards, a user does not need to reconfigure their system. This is much better than local pairing, as when a user got a new card, Golbig’s team would have to remove enforcement and re-pair with the new card. Attribute mapping worked better for NASA because of the following:

  • Flexibility
  • Alignment with other platforms
  • Works well with systems that are still AD bound

Using Jamf Pro

Next, Golbig shared the various configuration profiles he uses in Jamf Pro to ensure the log in process with Smart Cards is easy for users. Some of the configuration profiles he uses include:

  • UserPairing
  • allowSmartCard
  • checkCertificateTrust
  • enforceSmartCard
  • tokenRemovalAction

Golbig then showed how Jamf Pro can be used to map and enforce Smart Cards. NASA’s mapping process involves getting the user principal name off the card, appending the UPN to our local user’s directory record with DCSL, and generating /etc/SmartCardLogin.plist. System_profiler in 10.13 added Smart Card information. This includes: readers connected, drivers for readers, tokend and CTK, and most importantly, the certificates on the cards.

How Mojave updates fit in

Apple’s latest macOS update, Mojave, has several features that improve this process.

  • Certificate pinning
  • Performance enhancements
  • No more keychain prompts!

Golbig closed with his wish list of what Apple will include in upgrades in the future, including FileVault, derived credentials, Touch ID to unlock Smart Card after initial unlock and external disk/DMG/archive support. What’s on yours?

For more information on Smart Cards, check out this overview paper.