The release of macOS Sierra 10.12 marks a new beginning for smart card users, as Apple has taken a step towards support for PIV compatible smart cards without requiring any vendor software or drivers to be installed.
View video: https://vimeo.com/181838502
Use the YubiKey PIV Manager to pair your YubiKey with macOS Sierra logins.
YubiKey PIV Manager for Windows authentication (requires a domain login) to establish an active connection to the Windows Certification Authority, set and change PINs and Personal Unlocking Keys (PUKs), request certificates from a Certification Authority, manage certificates, and reset the PIV applet.
Use the Yubico PIV Tool, with the command line interface, to administer a PIV-enabled YubiKey. This tool is intended for system administrators or more advanced users.
- Download and install YubiKey PIV Manager 1.4.0 or later on your Mac, running macOS Sierra (10.12).
- Open the YubiKey PIV Manager application and insert a YubiKey 4, YubiKey 4 Nano, YubiKey NEO, or YubiKey NEO-n into a USB port. Note that YubiKeys work with most USB-C adapters.
- If your YubiKey has not been set up previously with YubiKey PIV Manager, you will be prompted to create a new PIN. If your YubiKey has been set up previously with YubiKey PIV Manager, navigate to Setup for macOS, click Yes, and follow the prompts.
- Use a 6-8 digit number for your new PIN and note it for future reference. Do not use letters or other characters in your PIN for use with macOS Sierra.
- We recommend you leave the other options at their default setting. For more information about the Management Key, see the YubiKey PIV Manager User’s Guide.
- When prompted, remove and re-insert the YubiKey to begin the pairing process.
- To begin the Smartcard Pairing, click Pair.
- To allow pairing, enter your Mac User Name and Password.
- Enter the PIN you created in step 3.
- When prompted, enter your login keychain password.
Removing the Smart Card Pairing from macOS
$ sc_auth list [username] (for example, if your account name is John, run “sc_auth list john”). ## Highlight and copy (Command+C) the hash listed for your user. $ sc_auth unpair -h [hash]
Remove all paired smart cards for a single user
$ sc_auth unpair -u [username] (for example, if your account name is John, run “sc_auth unpair john”). $ sc_auth unpair -u $(whoami)
Turn off the pairing user interface in macOS
$ sc_auth pairing_ui -s disable
- https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/ - Knowledge Base > Downloads > PIV Tools
- https://www.yubico.com/support/knowledge-base/categories/articles/how-to-use-your-yubikey-with-macos-sierra/ - Knowledge Base > How To > How To Use Your YubiKey with macOS Sierra
- https://www.yubico.com/2016/09/yubikey-smart-card-support-for-macos-sierra-2/ - YUBIKEY SMART CARD SUPPORT FOR MACOS SIERRA
- https://support.yubico.com/support/solutions/articles/15000006468 - Using Your YubiKey as a Smart Card in macOS