← Back to Apple macOS 26 (Tahoe) Security Technical Implementation Guide

V-277151

CAT II (Medium)

The macOS system must allow smart card authentication.

Rule ID

SV-277151r1148905_rule

STIG

Apple macOS 26 (Tahoe) Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000187 CCI-000765 CCI-000766 CCI-001941 CCI-001953

Discussion

Smart card authentication must be allowed. Using smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enabled, the smart card can be used for login, authorization, and screen saver unlocking. Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000376-GPOS-00161

Check Content

Verify the macOS system is configured to allow smart card authentication with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('allowSmartCard').js
EOS

If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.