See this Apple Platform Deployment guide for more information on local account pairing.
A series of prompts direct the user to pair the PIV card to the local account.Insert the PIV card into a card reader connected to the macOS device.Local Account Pairing is a user-prompted process. Additional details on Windows authentication enforcement models can be found here. This Apple Platform Deployment guide provides some additional detail on MBE vs. User-Based Enforcement (UBE): This implementation creates an exception to smart card-only authentication for specific users or groups of users (e.g., network admins, device admins, and individuals waived from smart card requirements).
Machine-Based Enforcement (MBE): This implementation removes the option for password-based authentication in favor of smart card-only authentication for any account accessible by the macOS device (local or network).This method involves creating a plist configuration file and disabling local pairing on the macOS device.Īgencies may additionally choose a machine or user-based enforcement which disables all password-based authentication. Windows Domain User Account - For a windows domain-joined device, an agency can map smart card attributes to an Active Directory account.No domain or Kerberos architecture is needed. This method pairs a smart card to the local macOS user account and requires its use for desktop authentication.
0 kommentar(er)
