[SmartcardServices-Users] Activate screensaver with token

[Yoann Gini]

> Le 24 mars 2016 à 20:25, Daly, John L CIV NAVAIR, 4G0000D <john.l.daly at navy.mil> a écrit :
> 
> would defaults write com.apple.screensaver tokenRemovalAction 1
> 
> get around the caching issue?  

Yes, as soon as you use defaults to manipulate defaults user domain you don’t have any issues with the caching service.

For what I understand this service is linked with the sandbox. It manages access right to preference domains (private and shared one).

The thing is, plist files aren’t directly read by Cocoa and Carbon API. Preferences are read in cfprefsd memory. So killing cfprefsd is needed when you deploy new preferences via file instead of regular API.

> I note that my accounts do all show tokenRemovalAction 1, and pulling the CAC from the machine causes the screensaver to activate.  It's just when I go to unlock the screensaver, the CAC doesn't work if it's a mobile or local account, only works if it's a network account.

This might be linked to authentication mechanism and AuthenticationAuthority settings.

If the screen saver activates when you remove the card, this setting is working. If when you put back the card the screensaver doesn’t ask for a PIN code, this is linked to authentication.

How do you manage the link between local account and smart card in your tests?

What’s the result of those two commands:

dscl /Local/Default read /Users/<mobile_account> AuthenticationAuthority
dscl /Local/Default read /Users/<mobile_account> OriginalAuthenticationAuthority

I’m wondering if authentication caches have the right settings to use smart cards.

I haven’t played for a long time with SmartCard on OS X. I will try to find time to make a new lab setup and write an updated documentation for 10.11.