Managing Smart Card Token Modules

A smart card token module is a middleware that provides programmatic access to smart cards and keys and the cryptographic assets they store. It does this by copying the items to the Keychain when the token is inserted, and deleting them from the Keychain when the token is removed.

Below, you will find basic commands for managing installed smart card token modules. For more details refer to Apple's support documentation.

Important: When you install the HID Crescendo CryptoTokenKit module, it is advisable to disable the native macOS PIV smart card token module (CryptoTokenKit) to avoid conflicts.

List Installed Smart Card Token Modules

To check what smart card token modules are installed on macOS:

  1. Open Terminal.

  2. Run the following command:

Copy 
pluginkit -m -p com.apple.ctk-tokens

This command lists the currently installed and registered smart card token modules.

If HID Crescendo CryptoTokenKit is installed, the output might look like this:

Copy 
com.hidglobal.ia.crescendo.ctk.token(1.0)
com.apple.CryptoTokenKit.pivtoken(1.0)
com.apple.PlatformSSOToken(1.0)
com.appleCryptoTokenKit.ctkcard.ctkcardtoken(1).

  • com.hidglobal.ia.crescendo.ctk.tokenHID Crescendo CryptoTokenKit module.

  • com.apple.CryptoTokenKit.pivtoken – Apple’s built-in PIV token module (for PIV-compliant smart cards).

Disable a Smart Card Token Module

To disable a specific smart card token module:

  1. Open Terminal.

  2. Run the following command, replacing <token> with the actual name of the module you wish to disable. See List Installed Smart Card Token Modules to review how to find the module's name.

Copy 
sudo security smartcards token -d <token>
Note: This command specifies a string representing the token module name that is going to be disabled. Therefore, make sure the name is entered correctly before running the command.

  • To disable the built-in Apple PIV card support and avoid conflicts with Crescendo CTK, use the following command:

Copy 
sudo security smartcards token -d com.apple.CryptoTokenKit.pivtoken
Important: Disable the built-in Apple PIV card support only if you are using Crescendo Cards and Keys, as doing so will prevent macOS from recognizing other PIV-compatible tokens.

  • To disable the Crescendo CTK, use the following command:

Copy 
sudo security smartcards token -d com.hidglobal.ia.crescendo.ctk.token

Enable a Smart Card Token Module

To enable a specific smart card token module to be used in macOS authentication:

  1. Open Terminal.

  2. Run the following command, replacing <token> with the actual name of the module you wish to enable. See List Disabled Smart Card Token Modules to review how to find the disabled module's name.

Copy 
sudo security smartcards token -e <token>

Replace <token> with the actual name of the disabled module you wish to enable.

To re-enable the built-in Apple PIV card support that has been disabled, use the following command:

Copy 
sudo security smartcards token -e com.apple.CryptoTokenKit.pivtoken

List Disabled Smart Card Token Modules

To check whether some smart card token modules are disabled:

  1. Open Terminal.

  2. Run the following command:

Copy 
sudo security smartcards token -l

This command displays a list of disabled modules.