User profile for user: MPM23
MPM23 Author
User level: Level 1
4 points

Smart card–only authentication using user-based enforcement?

Hi,

I've got a Yubikey 5C and a "smartcard–only authentication using machine-based enforcement". Works like clockwork with the right .mobileconfig profile.


I also have an other user on my MacBoorAir (M1, 2020) which now, logically, should have to use the smardcard as well. The problem that occurred is that only user1 is asked for the smartcard and user2 has no way to be selected in the Sonoma loginscreen. Somehow that sounds as a good thing: having a smartcard in place doesn't allow you to access an other user's account. But ... is its machine based, both users should be able to use the same smartcard to access their user environment. I suspect the problem to be that if I install the .mobileconfig profile within one user account, I cannot install it in the other. I tested: the file works in both accounts separately so I can also make only user2 able to use the smartcard but Then user1 cannot access his account. Both users have the smartcard enabled.


I found this article from Apple on how to configure "smart card–only authentication using user-based enforcement". That would give me the possibility to exclude user2 from having to use the smartcard and can logon to their environment with a password.


Since I'm self-employed I don't have a development or ICT department at my disposal. I'm my own admin, webbuilder, accountant, assistant etc. Therefore my Mac has two user accounts: one private (with own Apple ID with family sync) and one work account (with own Apple ID) which has to be secured due to privacy sensitive information). I'm not a web developer though so help on this would be appreciated.


So finally my question: I suspect the coding for the user-based enforcement should be in the .mobileconfig file but I don't know where. Or how do I get both user accounts accessible with the use of one smartcard in Sonoma?


Thanx, Marjolijn


Posted on Oct 7, 2023 12:46 AM

Reply

Similar questions

7 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,989 points

Oct 7, 2023 8:55 AM in response to MPM23

Here, I’d probably use a separate macOS install in a second partition, or a second install on a second bootable device, or run one of the two environments as a guest in a virtual machine, or acquire a second Mac.


A little related history: in higher-security environments such as defense or military or classified environments, you’re trying to run what would be called “multi-level” or “compartmented” security on this Mac, and that gets gnarly to set up and manage and even to use. Various major vendors tried to build multi-level security systems in the 1990s too (MLS was a thing in US classified and defense environments back then), and they all basically gave up. Most customers—when faced with that requirement—decided to run multiple so-called system-high environments.


Running two environments is obviously more work to upgrade, but means you can chose when to upgrade each environment. Install only what is needed in the higher-security environment, which reduces what can be attacked.


Ensure your entire sensitive install is encrypted with FileVault (T2 or later works very well here), and ensure your backups are encrypted as well. If you have a T2 or later Mac, that works with the internal storage only, but does not assist with the performance of encrypting external storage. That’s done through software.


In short, a second Mac is probably going to be cheaper, in terms of your own time and effort, and easier to secure.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,989 points

Oct 8, 2023 10:25 AM in response to MPM23

A guest or a partition or separate storage is easier to manage and maintain at the IT scale you’re operating at here.


I am familiar with and develop for and manage enterprise servers and networks, have developed operating system code and tooling for non-discretionary security environments (mandatory access controls), and would not follow your current path; of trying to compartment the data.


Maintaining separation over the lifetime of the data is hard. It’s far easier to entirely dispose of the (isolated) data here for instance, if or when that erasure becomes necessary. Nuke the guests or partitions, and nuke the backups, and the data is (probably) gone.


If you do decide to continue upon your current path, Apple has added security key support for Apple ID, and security keys also work for macOS logins.


Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,314 points

Oct 8, 2023 12:12 PM in response to MPM23

That Apple support article doesn't say anything about mobileconfig files. It says MDM or sudo defaults hack. It sounds like you are trying to fake out an MDM with a mobileconfig file. Sounds like it doesn't work.


I recommend using the standard procedure documented in that article.


Also, you sound like you've had extraordinarily good luck so far. Smartcard login is something that regularly breaks with each major, and often minor, software release.

Reply
User profile for user: MPM23
MPM23 Author
User level: Level 1
4 points

Oct 9, 2023 12:05 AM in response to MrHoffman

Thank you. Partitioning would be something I can do. The basic issue is that I have just one database app (Ninox) which contains the sensitive data (besides my business administration). Since it's an app, it will automatically store the actual database in the Library folder. Ninox has no possibility to change that (that was the first attempt and would be the most simple solution for my database could run from an encrypted external HD). A standalone setup wasn't possible because I need to have internet acces for billing and doing my taxes. FileVault would be the second best but it has no 2FA. I need the 2FA due to EU privacy laws. The third solution would have been logging in on my Mac with my password/fingerprint and Apple then giving me an authentication code through a second device (iPhone). As I understood that doesn't exist for Mac, only for AppleID. A smartcard is therefore the last resort.


Now I got a Yubikey 5C which works like clockwork. I only had some struggles writing the mobileconfig (for the smartcard only-login). I fixed that and that all now works very well ... for just one user. The other user is no longer accessible unless I remove the mobileconfig from the profiles. That was the trigger to pose a question on this forum.


Although partitioning is a great solution, I decided to make it more easy for myself and combine the two users on my Mac. It's not ideal and I would rather have it differently but it works with the 2FA. Apps were already accessible for both users alike so I only needed some data transferring. Only the apple-contacts is a bummer since it's not possible to "invite" other AppleID accounts to contacts like it does with calendar (although it does work on an iPhone, it doesn't work with a Mac).


If the user-combining gives issues, I'll go for the partitioning. Thank you so much for your generous explanations and answers.

Reply
User profile for user: MPM23
MPM23 Author
User level: Level 1
4 points

Oct 8, 2023 12:30 AM in response to MrHoffman

Thank you for your answer. I understand what you're saying: for full security for one user on a machine with two users, is a lot of work. Is it also a possibility to secure the whole Mac with the two users as it is a machine based authentication? Since I'm the only one using this Mac, I don't mind using the security key for both accounts. And yes, I do backup to encrypted external storage.


Is it also that the article I linked (with the possibility to make the smartcard user based) has become obsolete after all the updates this year?

Reply
User profile for user: MPM23
MPM23 Author
User level: Level 1
4 points

Oct 9, 2023 12:20 AM in response to etresoft

Thank you for your respons. You are right: that's what I tried without knowing all the details but it was worth the try. As I answered MrHoffman, I'll make it easy for myself and combine (a bit reluctant) the two user accounts on my Mac so I can use the smartcard and have both the setups.


It could be luck, I don't know. I've installed the smartcard first with Ventura before I updated to Sonoma and in both environments the smartcard works great for one user account. I also have a backup key for just-in-case.


If I can't get in anymore, I'll remove the profile in recovery mode.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,989 points

Oct 9, 2023 9:09 AM in response to MPM23

MPM23 wrote:

The third solution would have been logging in on my Mac with my password/fingerprint and Apple then giving me an authentication code through a second device (iPhone). As I understood that doesn't exist for Mac, only for AppleID. A smartcard is therefore the last resort.


Here, a hardware token—Apple calls those security keys—can provide the second factor for the macOS login, as was discussed above.


You are correct that Apple doesn’t support SMS as the second factor for macOS logins, but—if your data is sufficiently sensitive—you probably don’t want SMS involved in the mix anyway.


Easily and reliably disposing of the data is an oft-neglected but central part of this whole discussion, too. Apps and app removals can leave sensitive data in temporary files or log files or configuration files or keychain or such; in what amounts to detritus. Deleting a partition or deleting a guest deletes all that.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Smart card–only authentication using user-based enforcement?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up