The macOS system must allow smart card authentication.

STIG ID: APPL-14-003030  |  SRG: SRG-OS-000068-GPOS-00036 | Severity: medium |  CCI: CCI-000187,CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-001941,CCI-001953

Vulnerability Discussion

Smart card authentication must be allowed.

The use of smart card credentials facilitates standardization and reduces the risk of unauthorized
access.

When enabled, the smart card can be used for logon, authorization, and screen saver unlocking.

Satisfies:
SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000376-GPOS-00161

Check

Verify the macOS system is configured to allow smart card authentication with the
following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('allowSmartCard').js
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to enforce multifactor authentication by
installing the "com.apple.security.smartcard" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided
with the STIG before applying the configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.