Introduce

The release of macOS Sierra 10.12 marks a new beginning for smart card users, as Apple has taken a step towards support for PIV compatible smart cards without requiring any vendor software or drivers to be installed.

View video: https://vimeo.com/181838502

Download

Use the YubiKey PIV Manager to pair your YubiKey with macOS Sierra logins.

YubiKey PIV Manager for Windows authentication (requires a domain login) to establish an active connection to the Windows Certification Authority, set and change PINs and Personal Unlocking Keys (PUKs), request certificates from a Certification Authority, manage certificates, and reset the PIV applet.

Use the Yubico PIV Tool, with the command line interface, to administer a PIV-enabled YubiKey. This tool is intended for system administrators or more advanced users.

https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/

Usage

Pair

  1. Download and install YubiKey PIV Manager 1.4.0 or later on your Mac, running macOS Sierra (10.12).
  2. Open the YubiKey PIV Manager application and insert a YubiKey 4, YubiKey 4 Nano, YubiKey NEO, or YubiKey NEO-n into a USB port. Note that YubiKeys work with most USB-C adapters.
  3. If your YubiKey has not been set up previously with YubiKey PIV Manager, you will be prompted to create a new PIN. If your YubiKey has been set up previously with YubiKey PIV Manager, navigate to Setup for macOS, click Yes, and follow the prompts.
    • Use a 6-8 digit number for your new PIN and note it for future reference. Do not use letters or other characters in your PIN for use with macOS Sierra.
    • We recommend you leave the other options at their default setting. For more information about the Management Key, see the YubiKey PIV Manager User’s Guide.
  4. When prompted, remove and re-insert the YubiKey to begin the pairing process.
  5. To begin the Smartcard Pairing, click Pair.
  6. To allow pairing, enter your Mac User Name and Password.
  7. Enter the PIN you created in step 3.
  8. When prompted, enter your login keychain password.

Unpair

Removing the Smart Card Pairing from macOS

$ sc_auth list [username] (for example, if your account name is John, run “sc_auth list john”).
## Highlight and copy (Command+C) the hash listed for your user.
$ sc_auth unpair -h [hash]

Remove all paired smart cards for a single user

$ sc_auth unpair -u [username] (for example, if your account name is John, run “sc_auth unpair john”).

$ sc_auth unpair -u $(whoami)

Turn off the pairing user interface in macOS

$ sc_auth pairing_ui -s disable

Reference

  1. https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/ - Knowledge Base > Downloads > PIV Tools
  2. https://www.yubico.com/support/knowledge-base/categories/articles/how-to-use-your-yubikey-with-macos-sierra/ - Knowledge Base > How To > How To Use Your YubiKey with macOS Sierra
  3. https://www.yubico.com/2016/09/yubikey-smart-card-support-for-macos-sierra-2/ - YUBIKEY SMART CARD SUPPORT FOR MACOS SIERRA
  4. https://www.yubico.com/why-yubico/for-businesses/computer-login/mac-os-login/
  5. https://support.yubico.com/support/solutions/articles/15000006468 - Using Your YubiKey as a Smart Card in macOS