[SmartcardServices-Users] [Non-DoD Source] SmartcardServices-Users Digest, Vol 68, Issue 1

Daly, John L CIV NAVAIR, 4G0000D john.l.daly at navy.mil
Wed Mar 23 07:56:56 PDT 2016 

Hi Shawn,
I have a long standing bug in the OS where I can't unlock the Security & Privacy Pane if my CAC is inserted in the machine.  It asks for the PIN and the graphic shows it unlocking like it's supposed to, but then it immediately locks up again.  This makes it impossible to get to the Advanced tab.

I do use the command line to set tokenRemovalAction to 1, as you stated below, and it works flawlessly on my network accounts, but on Mobile accounts, despite the setting being correct, it will lock the screen when the token is removed, but when going to unlock it, it wants the password and not the PIN.

I even verified this by creating an account and logging in to a client machine without letting it create the home directory on the client machine.  Everything worked as it should. CAC removal caused the screen to lock, and the CAC PIN could unlock the screen.  Logged out and back in, letting it create the home directory on the client machine, and then the CAC could no longer unlock the screen saver.

What happened?  Apple has gone from having the best out of the box smart card support in the industry to what is being called the worst on "howto" websites.

Thank you,
John
__________________________________________
Message: 2
Date: Tue, 22 Mar 2016 21:47:02 -0700
From: Shawn Geddis <geddis at icloud.com>
To: "Lance Terada, CTR" <lance.terada.ctr at mhpcc.hpc.mil>
Cc: SmartCard Services-Users
        <smartcardservices-users at lists.macosforge.org>
Subject: Re: [SmartcardServices-Users] Activate screensaver with token
Message-ID: <F20B3017-984D-4DD3-B8C4-024A840ECE5B at icloud.com>
Content-Type: text/plain; charset="utf-8"

> On Mar 22, 2016, at 6:09 PM, Lance Terada, CTR <lance.terada.ctr at mhpcc.hpc.mil> wrote:
> Hello,
> Does anyone know how to configure activating the screensaver after pulling your token out of the CAC reader?

Lance,

If you already have enabled use of smartcards for login, you can simply click on on the ?Advanced?? tab at the lower right-hand corner.

System Preferences -> Security & Privacy ->  Advanced?


This could be scripted with the following commands (Replace <username> with the actual account name):
(This ends up being the easiest syntax for many)

sudo /usr/libexec/plistbuddy -c "Add:tokenRemovalAction integer 1" /Users/<username>/Library/Preferences/com.apple.screensaver.plist
sudo /usr/libexec/plistbuddy -c "Add:askForPassword integer 1" /Users/<username>/Library/Preferences/com.apple.screensaver.plist
sudo /usr/libexec/plistbuddy -c "Add:askForPasswordDelay integer 0" /Users/<username>/Library/Preferences/com.apple.screensaver.plist


You can also READ what the settings are using ?defaults':

$ sudo defaults read  /Users/<username>/Library/Preferences/com.apple.screensaver

Which would give you the following:

{
    askForPassword = 1;
    askForPasswordDelay = 0;
    tokenRemovalAction = 1;
}


- Shawn
_____________________________________________________________________
Shawn Geddis                                                            geddis@{Mac | Me | iCloud}.com
Security and Certifications Engineer, Apple                geddis at apple.com

Smart Card Services  Project/Dev Lead:
                                Project Wiki:                     [SmartCardServices.MacOSFforge.Org <http://smartcardservices.macosfforge.org/>]
                                Mailing Lists:                   [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>]
                                SCS Contact:                                       [scs-cotact at macosforge.org <mailto:scs-cotact at macosforge.org>]
                                SCS Admin:                                         [scs-admin at macosforge.org <mailto:scs-admin at macosforge.org>]
_____________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20160322/48cc8367/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-03-22 at 6.32.51 PM.png
Type: image/png
Size: 27068 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20160322/48cc8367/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4457 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20160322/48cc8367/attachment.p7s>

------------------------------

_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users at lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users


End of SmartcardServices-Users Digest, Vol 68, Issue 1
******************************************************

More information about the SmartcardServices-Users mailing list