Using Your Crescendo Smart Card for Logging Into MacOS

To use a Crescendo smart card or key for login and authentication, a certificate stored on the token must be paired with the macOS user account. This local account pairing can be achieved in two ways:

Through the user interface
Using the command line (Terminal)

Pairing a Smart Card to a MacOS User Account in the UI

When an unpaired smart card is inserted, a notification dialog appears.
Hover over the notification and click Pair to associate the smart card with the user account.

For more details, refer to the relevant Apple Support documentation.

Tip! To prevent the local account pairing dialog from appearing when an unpaired smart card is inserted, see Disable the UI for Smart Card Pairing.

Pairing a Smart Card to a MacOS User Account in Terminal

To manually pair a smart card with a macOS user account, enabling the user to log in with their smart card:

Open Terminal.
Run the following command, replacing <USER> with the actual macOS username and <HASH> with the hash value of the certificate:
Copy
```
sudo sc_auth pair -h <HASH> -u <USER>
```

Example

If the certificate hash is F630FDB2F37478DCB46B5BBE270845341AC9DE5D and the username is johndoe, use:

Copy

sudo sc_auth pair -h F630FDB2F37478DCB46B5BBE270845341AC9DE5D -u johndoe

Finding the Certificate Hash

To retrieve the hash value of the certificate stored on the smart card:

Open Terminal.
Run the following command:
Copy
```
sc_auth identities
```

This command lists both paired and unpaired identities on the smart card, allowing you to copy the hash value of the desired certificate for pairing.

Verifying the Pairing

To confirm that the smart card is paired with the user:

Open Terminal.
Run the following command:
Copy
```
sc_auth list
```

This will display paired smart card identities.

Unpairing a Smart Card From a User Account

Important:

MacOS supports smart card-only authentication, which disables all password-based authentication, enforcing mandatory smart card use. Unpairing a smart card from a user account does not remove the smart card authentication requirement if it has been enabled. Removing smart card pairing may thus result in locking the user out. For more details, refer to this Apple support article on smart card-only authentication.

To unpair a specific certificate from macOS login:

Open Terminal.
Run the following command, replacing <HASH> with the hash value of the certificate:
Copy
```
sudo sc_auth unpair -h <HASH>
```

Example

If the certificate hash is F630FDB2F37478DCB46B5BBE270845341AC9DE5D, use:

Copy

sudo sc_auth unpair -h F630FDB2F37478DCB46B5BBE270845341AC9DE5D

To remove all pairing for a single user:

Open Terminal.
Run the following command, replacing <USER> with the username:
Copy
```
sudo sc_auth unpair -u <USER>
```

Example

If the username is johndoe, use:

Copy

sudo sc_auth unpair -u johndoe

Disable the UI for Smart Card Pairing

To prevent macOS from automatically prompting users for smart card pairing when an unpaired card is inserted:

Open Terminal.
Run the following command:

Copy

sc_auth pairing_ui -s disable

Enable the UI for Smart Card Pairing

To re-enable the automatic smart card pairing prompt in macOS when an unpaired card is inserted:

Open Terminal.
Run the following command:

Copy

sc_auth pairing_ui -s enable

This restores the automatic pairing notification, allowing users to pair a smart card with their macOS account through the UI.