Managing Smart Card Token Modules

A smart card token module is middleware that provides programmatic access to smart cards and keys, as well as to the cryptographic assets they store. It does this by copying the items to the Keychain when the token is inserted, and deleting them from the Keychain when the token is removed.

Below, you will find basic commands for managing installed smart card token modules. For more details refer to Apple's support documentation.

Note: When you install ActivClient, the ActivClient CryptoTokenKit (CTK) smart card token module automatically disables the native macOS PIV smart card token module (CryptoTokenKit) to avoid conflicts.

List Installed Smart Card Token Modules

To check which smart card token modules are installed on macOS:

  1. Open Terminal.

  2. Run the following command:

Copy 
pluginkit -m -p com.apple.ctk-tokens

This command lists the currently installed and registered smart card token modules.

If ActivClient is installed, the output might look like this:

Copy 
com.hidglobal.ia.activclient.ctk.token(1.0)
com.apple.CryptoTokenKit.pivtoken(1.0)
com.apple.PlatformSSOToken(1.0)
com.appleCryptoTokenKit.ctkcard.ctkcardtoken(1).

  • com.hidglobal.ia.activclient.ctk.token – the ActivClient CTK token module

  • com.apple.CryptoTokenKit.pivtoken – Apple’s built-in PIV token module (for PIV-compliant smart cards)

Disable a Smart Card Token Module

To disable a specific smart card token module:

  1. Open Terminal.

  2. Run the following command, replacing <token> with the actual name of the module you wish to disable. See List Installed Smart Card Token Modules to review how to find the module's name.

Copy 
sudo security smartcards token -d <token>
Note: This command specifies a string representing the token module name that is going to be disabled. Therefore, make sure the name is entered correctly before running the command.

  • To disable the built-in Apple PIV card support and avoid conflicts with ActivClient, use the following command:

Copy 
sudo security smartcards token -d com.apple.CryptoTokenKit.pivtoken
Note: Disabling the built-in Apple PIV card support is performed automatically during ActivClient setup, so this action is not required in most situations.

  • To disable the ActivClient CTK module, use the following command:

Copy 
sudo security smartcards token -d com.hidglobal.ia.activclient.ctk.token

Enable a Smart Card Token Module

To enable a specific smart card token module to be used in macOS authentication:

  1. Open Terminal.

  2. Run the following command, replacing <token> with the actual name of the module you wish to enable. See List Disabled Smart Card Token Modules to review how to find the disabled module's name.

Copy 
sudo security smartcards token -e <token>

Replace <token> with the actual name of the disabled module you wish to enable.

To re-enable the built-in Apple PIV card support that has been disabled, use the following command:

Copy 
sudo security smartcards token -e com.apple.CryptoTokenKit.pivtoken

List Disabled Smart Card Token Modules

To check whether some smart card token modules are disabled:

  1. Open Terminal.

  2. Run the following command:

Copy 
sudo security smartcards token -l

This command displays a list of disabled modules.