Files
apple_device-management/mdm/profiles/com.apple.security.smartcard.yaml
Cyrus Daboo 97a11a861f Seed2
2026-06-22 15:55:19 -04:00

86 lines
2.7 KiB
YAML

title: SmartCard
description: The payload that configures a smart card.
payload:
payloadtype: com.apple.security.smartcard
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: 10.12.4
multiple: false
devicechannel: true
userchannel: false
requiresdep: false
userapprovedmdm: false
allowmanualinstall: true
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
content: Restrictions and settings for smart card pairing on macOS
payloadkeys:
- key: UserPairing
type: <boolean>
presence: optional
default: true
content: If `false`, users don't get the pairing dialog, although existing pairings
still work.
- key: allowSmartCard
type: <boolean>
presence: optional
default: true
content: If `false`, the system disables smart cards for logins, authorizations,
and screen saver unlocking. It's still allowed for other functions, such as signing
emails and accessing the web. The device requires a restart for a setting change
to take effect.
- key: checkCertificateTrust
type: <integer>
presence: optional
rangelist:
- 0
- 1
- 2
- 3
default: 0
content: |-
Configures the certificate trust check and has one of the following possible values:
- `0`: Turns off certificate trust check.
- `1`: Turns on certificate trust check. The device performs a standard validity check but doesn't include additional revocation checks.
- `2`: Turns on certificate trust check. The device also performs a soft revocation check. Until CRL/OCSP explicitly rejects the certificate, the device considers it valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed.
- `3`: Turns on certificate trust check. The device also performs a hard revocation check. Unless CRL/OCSP explicitly says "This certificate is OK," the device considers it invalid. This option is the most secure.
- key: oneCardPerUser
type: <boolean>
presence: optional
default: false
content: If `true`, a user can pair with only one smart card, although existing
pairings are allowed if already set up.
- key: tokenRemovalAction
supportedOS:
macOS:
introduced: 10.13.4
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If `1`, the device enables the screen saver when the user removes the smart
card.
- key: enforceSmartCard
supportedOS:
macOS:
introduced: 10.13.2
type: <boolean>
presence: optional
default: false
content: If `true`, a user can only log in or authenticate with a smart card.
examples:
- title: Profile example
files:
- file: examples/mdm/profiles/com.apple.security.smartcard/example1.plist