Hi Shawn, I have a long standing bug in the OS where I can't unlock the Security & Privacy Pane if my CAC is inserted in the machine. It asks for the PIN and the graphic shows it unlocking like it's supposed to, but then it immediately locks up again. This makes it impossible to get to the Advanced tab. I do use the command line to set tokenRemovalAction to 1, as you stated below, and it works flawlessly on my network accounts, but on Mobile accounts, despite the setting being correct, it will lock the screen when the token is removed, but when going to unlock it, it wants the password and not the PIN. I even verified this by creating an account and logging in to a client machine without letting it create the home directory on the client machine. Everything worked as it should. CAC removal caused the screen to lock, and the CAC PIN could unlock the screen. Logged out and back in, letting it create the home directory on the client machine, and then the CAC could no longer unlock the screen saver. What happened? Apple has gone from having the best out of the box smart card support in the industry to what is being called the worst on "howto" websites. Thank you, John __________________________________________ Message: 2 Date: Tue, 22 Mar 2016 21:47:02 -0700 From: Shawn Geddis <geddis@icloud.com> To: "Lance Terada, CTR" <lance.terada.ctr@mhpcc.hpc.mil> Cc: SmartCard Services-Users <smartcardservices-users@lists.macosforge.org> Subject: Re: [SmartcardServices-Users] Activate screensaver with token Message-ID: <F20B3017-984D-4DD3-B8C4-024A840ECE5B@icloud.com> Content-Type: text/plain; charset="utf-8"

On Mar 22, 2016, at 6:09 PM, Lance Terada, CTR <lance.terada.ctr@mhpcc.hpc.mil> wrote: Hello, Does anyone know how to configure activating the screensaver after pulling your token out of the CAC reader?

Lance, If you already have enabled use of smartcards for login, you can simply click on on the ?Advanced?? tab at the lower right-hand corner. System Preferences -> Security & Privacy -> Advanced? This could be scripted with the following commands (Replace <username> with the actual account name): (This ends up being the easiest syntax for many) sudo /usr/libexec/plistbuddy -c "Add:tokenRemovalAction integer 1" /Users/<username>/Library/Preferences/com.apple.screensaver.plist sudo /usr/libexec/plistbuddy -c "Add:askForPassword integer 1" /Users/<username>/Library/Preferences/com.apple.screensaver.plist sudo /usr/libexec/plistbuddy -c "Add:askForPasswordDelay integer 0" /Users/<username>/Library/Preferences/com.apple.screensaver.plist You can also READ what the settings are using ?defaults': $ sudo defaults read /Users/<username>/Library/Preferences/com.apple.screensaver Which would give you the following: { askForPassword = 1; askForPasswordDelay = 0; tokenRemovalAction = 1; } - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@apple.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://smartcardservices.macosfforge.org/>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________