![]() User-Based Enforcement (UBE): This implementation creates an exception to smart card-only authentication for specific users or groups of users (e.g., network admins, device admins, and individuals waived from smart card requirements).Machine-Based Enforcement (MBE): This implementation removes the option for password-based authentication in favor of smart card-only authentication for any account accessible by the macOS device (local or network).This method involves creating a plist configuration file and disabling local pairing on the macOS device.Īgencies may additionally choose a machine or user-based enforcement which disables all password-based authentication. Windows Domain User Account - For a windows domain-joined device, an agency can map smart card attributes to an Active Directory account.No domain or Kerberos architecture is needed. This method pairs a smart card to the local macOS user account and requires its use for desktop authentication. Local Account Pairing - For a non-domain joined macOS account, an agency may enable local account pairing.Choose an Authentication OptionĪgencies have two options to enforce smart card authentication in macOS. Enablement of mandatory smart card login for all Mac workstations and laptops within your environment will help align to the NIST SP 800-53 Identification and Authentication family of controls to support FISMA compliance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |