What happens when FileVault is enabled? Does the SmartCard decrypt the machine with the PIN or do users have to enter a password to unlock and then MFA to actually log in? Obviously FV can only work with local/mobile users since decryption is required before networking/AD services can start up so how does that affect the AD integration?
Also does the login keychain still require a password?
macOS High Sierra (10.13.3)
Oh yeah not by default for sure. My comment was meant to accompany this article: Configure macOS for smart card-only authentication - Apple Support.
I actually figured it out. You can set the DisableFDEAutoLogin key to "true" in com.apple.loginwindow either through Configuration Profiles or the defaults command. That allows FV to be decrypted by a user's password but then stop at Login Window which can then connect to AD or view mobile accounts but can be configured to require SmartCard authentication.
This article will help you answer those questions: https://support.apple.com/en-us/HT204837
Apple devices do not support 'smart cards' by default...
FileVault and Keychain
