The payload that configures a smart card.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
UserPairing UserPairing If `false`, users don't get the pairing dialog, although existing pairings still work. | boolean | optional | true | ✓Yes | macOS (10.12.4+) |
allowSmartCard allowSmartCard If `false`, the system disables smart cards for logins, authorizations, and screen saver unlocking. It is still allowed for other functions, such as signing emails and accessing the web. A restart is required for a setting change to take effect. | boolean | optional | true | ✓Yes | macOS (10.12.4+) |
checkCertificateTrust checkCertificateTrust Configures the certificate trust check and has one of the following possible values:
- `0`: Turns off certificate trust check.
- `1`: Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks.
- `2`: Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed.
- `3`: Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says "This certificate is OK," it's considered invalid. This option is the most secure. | integer | optional | 0 | ✓Yes | macOS (10.12.4+) |
oneCardPerUser oneCardPerUser If `true`, a user can pair with only one smart card, although existing pairings are allowed if already set up. | boolean | optional | false | ✓Yes | macOS (10.12.4+) |
tokenRemovalAction tokenRemovalAction If `1`, the system enables the screen saver when the smart card is removed. Available in macOS 10.13.4 and later. | integer | optional | 0 | ✓Yes | macOS (10.13.4+) |
enforceSmartCard enforceSmartCard If `true`, a user can only log in or authenticate with a smart card. Available in macOS 10.13.2 and later. | boolean | optional | false | ✓Yes | macOS (10.13.2+) |
Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
com.apple.wifi.managed – Wi-Fi network configurationcom.apple.vpn.managed – VPN configurationcom.apple.applicationaccess – App and feature restrictionscom.apple.security.pkcs1 – Certificate (PKCS#1) payloadcom.apple.security.pkcs12 – Identity certificate (PKCS#12) payloadcom.apple.security.scep – SCEP certificate enrolmentcom.apple.mail.managed – Mail account configurationcom.apple.eas.account – Exchange ActiveSync accountcom.apple.MCX – Managed Client (macOS) preferencescom.apple.MCX.FileVault2 – FileVault 2 disk encryptioncom.apple.dock – macOS Dock configurationcom.apple.screensaver – Screensaver configurationcom.apple.loginwindow – macOS login window configurationcom.apple.systempolicy.managed – Gatekeeper / system policycom.apple.systempreferences – System Preferences pane restrictionscom.apple.SoftwareUpdate – Software update behaviourcom.apple.TCC.configuration-profile-policy – Privacy Preferences Policy Control (PPPC)com.apple.notificationsettings – Per-app notification settingscom.apple.webcontent-filter – Web content filtercom.apple.dnsSettings.managed – DNS settings (DoH / DoT)com.apple.relay.managed – Network relay configurationcom.apple.extensiblesso – Extensible Single Sign-Oncom.apple.configuration.passcode.settings – DDM: passcode policycom.apple.configuration.softwareupdate.enforcement.specific – DDM: enforced software updatecom.apple.configuration.services.configuration-files – DDM: service configuration filescom.apple.configuration.management.status-subscriptions – DDM: status subscriptionscom.apple.activation.simple – DDM: simple activation predicatecom.apple.management.organization-info – DDM: organization information