Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave >

Related Article

Configure macOS for smart card-only authentication

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.


Question: FileVault and Keychain

What happens when FileVault is enabled? Does the SmartCard decrypt the machine with the PIN or do users have to enter a password to unlock and then MFA to actually log in? Obviously FV can only work with local/mobile users since decryption is required before networking/AD services can start up so how does that affect the AD integration?

Also does the login keychain still require a password?

macOS High Sierra (10.13.3)

Posted on


Page content loaded

Mar 12, 2018 4:19 AM in response to zfJames In response to zfJames

Oh yeah not by default for sure. My comment was meant to accompany this article: Configure macOS for smart card-only authentication - Apple Support.

I actually figured it out. You can set the DisableFDEAutoLogin key to "true" in either through Configuration Profiles or the defaults command. That allows FV to be decrypted by a user's password but then stop at Login Window which can then connect to AD or view mobile accounts but can be configured to require SmartCard authentication.

Mar 12, 2018 4:19 AM

Reply Helpful
User profile for user: noahfromcambridge

Question: FileVault and Keychain