mirror of
https://github.com/apple/device-management.git
synced 2026-07-12 05:46:34 +02:00
86 lines
2.7 KiB
YAML
86 lines
2.7 KiB
YAML
title: SmartCard
|
|
description: The payload that configures a smart card.
|
|
payload:
|
|
payloadtype: com.apple.security.smartcard
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: 10.12.4
|
|
multiple: false
|
|
devicechannel: true
|
|
userchannel: false
|
|
requiresdep: false
|
|
userapprovedmdm: false
|
|
allowmanualinstall: true
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
content: Restrictions and settings for smart card pairing on macOS
|
|
payloadkeys:
|
|
- key: UserPairing
|
|
type: <boolean>
|
|
presence: optional
|
|
default: true
|
|
content: If `false`, users don't get the pairing dialog, although existing pairings
|
|
still work.
|
|
- key: allowSmartCard
|
|
type: <boolean>
|
|
presence: optional
|
|
default: true
|
|
content: If `false`, the system disables smart cards for logins, authorizations,
|
|
and screen saver unlocking. It's still allowed for other functions, such as signing
|
|
emails and accessing the web. The device requires a restart for a setting change
|
|
to take effect.
|
|
- key: checkCertificateTrust
|
|
type: <integer>
|
|
presence: optional
|
|
rangelist:
|
|
- 0
|
|
- 1
|
|
- 2
|
|
- 3
|
|
default: 0
|
|
content: |-
|
|
Configures the certificate trust check and has one of the following possible values:
|
|
|
|
- `0`: Turns off certificate trust check.
|
|
- `1`: Turns on certificate trust check. The device performs a standard validity check but doesn't include additional revocation checks.
|
|
- `2`: Turns on certificate trust check. The device also performs a soft revocation check. Until CRL/OCSP explicitly rejects the certificate, the device considers it valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed.
|
|
- `3`: Turns on certificate trust check. The device also performs a hard revocation check. Unless CRL/OCSP explicitly says "This certificate is OK," the device considers it invalid. This option is the most secure.
|
|
- key: oneCardPerUser
|
|
type: <boolean>
|
|
presence: optional
|
|
default: false
|
|
content: If `true`, a user can pair with only one smart card, although existing
|
|
pairings are allowed if already set up.
|
|
- key: tokenRemovalAction
|
|
supportedOS:
|
|
macOS:
|
|
introduced: 10.13.4
|
|
type: <integer>
|
|
presence: optional
|
|
rangelist:
|
|
- 0
|
|
- 1
|
|
default: 0
|
|
content: If `1`, the device enables the screen saver when the user removes the smart
|
|
card.
|
|
- key: enforceSmartCard
|
|
supportedOS:
|
|
macOS:
|
|
introduced: 10.13.2
|
|
type: <boolean>
|
|
presence: optional
|
|
default: false
|
|
content: If `true`, a user can only log in or authenticate with a smart card.
|
|
examples:
|
|
- title: Profile example
|
|
files:
|
|
- file: examples/mdm/profiles/com.apple.security.smartcard/example1.plist
|