Don't Forget Your Badge!

© JAMF Software, LLC Allen Golbig Mac Systems Engineer Peerless
Technologies @ NASA Matt Woodruﬀ Sr. Systems Engineer Jamf

© JAMF Software, LLC Don’t Forget Your Badge! Presentation agenda:
Background check macOS smartcard conﬁguration Using Jamf Pro to manage smartcards Where do we go next?

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC
GRC HQ LaRC GSFC

© JAMF Software, LLC PIV Mandatory • HSPD-12 • OMB
M-11-11 • FISMA CIO Metrics Requirements

© JAMF Software, LLC PIV Mandatory Deﬁnition Managed By Machine
Based Enforcement A user is required to use their PIV to authenticate to each device MDM User Based Enforcement A user’s network password is removed from their account MDM Directory Services

© JAMF Software, LLC Smartcard Conﬁguration • GUI-based • Can
be scripted • Requires admin rights Pairing (Fixed Key Mapping)

© JAMF Software, LLC Smartcard Conﬁguration • Scriptable • Works
with AD accounts • Always takes precedence Attribute Mapping

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml
version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <dict> <key>ﬁelds</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping

© JAMF Software, LLC Smartcard Conﬁguration • Flexibility • Aligned
us with other platforms • Works well with AD bound systems Why did we go with mapping?

© JAMF Software, LLC • Third-party apps that lack CryptoTokenKit
support • View your certiﬁcates in Keychain Access and change pin • Race conditions with CTK • man SmartCardServices-legacy TokenD Why do we still use it?

© JAMF Software, LLC Unbinding • Use Jamf Pro to
apply management settings • Mitigate AD Risks • Get your kerberos ticket from Enterprise Connect PKI or Jamf Connect Why do you need Active Directory?

© JAMF Software, LLC Enterprise Connect PKI • Apple Professional
Services • Adds smartcard support   to Enterprise Connect • Apple supported • Does not work with LDAP

© JAMF Software, LLC • Multiple Identities • CLI for
getting kerberos ticket • Works with LDAP • So much more Jamf Connect

© JAMF Software, LLC com.apple.security.smartcard • If false, users will
not get the pairing dialog • Default: True UserPairing

© JAMF Software, LLC com.apple.security.smartcard • If false, the smartcard
is disabled for logins, authorizations and screensaver • Still allowed for other functions • Default: True allowSmartCard

© JAMF Software, LLC com.apple.security.smartcard • 0 - certificate trust
off • 1 - certificate trust on, no revocation checks • 2 - certificate trust on, soft revocation • 3 - certificate trust on, hard revocation checkCertificateTrust

© JAMF Software, LLC com.apple.security.smartcard • If true, a user
can only pair with one smartcard • Default: False oneCardPerUser

© JAMF Software, LLC com.apple.security.smartcard • If true, a user
can only login or authenticate with a smartcard • Default: False enforceSmartCard

© JAMF Software, LLC com.apple.security.smartcard • If 1, screensaver will
be enabled upon removal of smartcard • Default: 0 tokenRemovalAction

© JAMF Software, LLC com.apple.loginwindow • If on, disables automatic
login if FileVault is enabled, so that both an EFI Login and loginwindow password are required • Default: Oﬀ DisableFDEAutoLogin

© JAMF Software, LLC What’s new in Mojave • Certiﬁcate
Pinning • Performance Enhancements • NO MORE KEYCHAIN   PROMPTS!

© JAMF Software, LLC Jamf Pro • Mapping Process •
Enforcement • Additional Requirements Overview

© JAMF Software, LLC Jamf Pro Mapping Process • Get
User Principal Name oﬀ card • Append UPN to user’s directory record • Add /etc/SmartcardLogin.plist

© JAMF Software, LLC system_proﬁler SPSmartCardsDataType • Readers • Drivers
(Reader, Tokend, CTK) • CERTIFICATES!!!

© JAMF Software, LLC /usr/sbin/sc_auth identities | awk '/PIV/ {print
$1}' \ | tr '[:upper:]' '[:lower:]' | sed 's/.\{8\}/& /g' | sed 's/.$//g' Getting PIV Auth Hash

© JAMF Software, LLC /usr/sbin/system_proﬁler SPSmartCardsDataType | grep -A5 "$hash"
\ | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ \ {print; count++; if (count==3) exit}' | fold -w67 > /tmp/temp.pem Generating PIV Auth Cert

© JAMF Software, LLC -----BEGIN CERTIFICATE----- MIIDAzCCAeugAwIBAgIJAJooOLDCGNUAMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV BAMMDXd3dy5qbnVjLjIwMTgwHhcNMTgwOTI1MTcwMzMzWhcNMjgwOTIyMTcwMzMz WjAYMRYwFAYDVQQDDA13d3cuam51Yy4yMDE4MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA7qX6lWABaR2uMxBEz/rl9Deukl047ilxeWJyTETKWO54AloU
2YCEJh9KqWZIVHzR038d6MV8RedQjqRJAdLBDwUnJ+rQzbNAjfCUt1nT46OfrzkZ 5R1AIUNcSn9y4n6+cC4BEwCtO+q++X+SB68CVbxkzh5T7ZgNWti1r+GzUbS7x2nl Ownx+ATwcKzsi7/jGcM6nJkcgOY2DL7b6V7tLP1X785zlHpx8oTCmp29yj4NQHIv H4Vlt1+a2cZo8tcSDxCskZnT1LJY7Vvs1wpdXjKHvAx8O938TGnQaW9SeqUzJayK WKSYLAcah+884DehCQbirhSTDzWNIHvO64s6tQIDAQABo1AwTjAdBgNVHQ4EFgQU 38efDlnwJhZ9Zckna0QKhC0xfQwwHwYDVR0jBBgwFoAU38efDlnwJhZ9Zckna0QK hC0xfQwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAtY54XMdQJcri 4ONM6JMgjqp+d8N9fekO4qtInQiGnU4OcG4hiAePgA6kk1E0KCypcU4SnzRGO7WS Cjqc/x9y0Wp5ivKNq/RMkjFfUiuxqI3dbf1ZjbPlBijA8ch0WOk7KcOi65S1WAY6 WThtXc67hbwRQoWBpvcHQtx2J9zE/UPTE5VgkfeqkxIZBXYgdG6reIaFIldv29lO S8rVxrIcDsCrmZPohLCfNX1SC1WNDiFJGoszjYUZKnX0d81IzszG+WbIXn+pQVzC b0w3Tbtk6D60fC11eUPPqLfcAVZCq9x4+9lYb06ehZPASIiLsLXNTbQﬁ2z/rPBU QcS3HU1ARg== -----END CERTIFICATE-----

© JAMF Software, LLC UPN="$(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem
-strparse \ $(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem \ | awk -F ':' '/X509v3 Subject Alternative Name/ {getline; print $1}') \ | awk -F ':' '/UTF8STRING/{print $4}')" Getting UPN from Certiﬁcate

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml
version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TrustedAuthorities</key> <array> <string>SHA-256_HASH_GOES_HERE</string> </array> <key>AttributeMapping</key> <dict> <key>ﬁelds</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping

© JAMF Software, LLC /usr/bin/dscl . read /Users/matt AltSecurityIdentities AltSecurityIdentities:
Kerberos:[email protected]

© JAMF Software, LLC Jamf Pro Enforcement • EAs &
Smart Groups for Scoping • Apply enforceSmartCard key • PAM Modules, SSH • PIV Exemption

© JAMF Software, LLC Jamf Pro Extension Attribute • Check
status of AltSecurityIdentities • As well as /etc/SmartcardLogin.plist

© JAMF Software, LLC #!/bin/bash if [ -f /etc/SmartcardLogin.plist ];
then if [ $(for user in $(dscl . list /Users UniqueID | awk '$2 > 500 {print $1}'); do dscl . read /Users/$user AltSecurityIdentities 2>/dev/null | grep @jamf.com; done | wc -l) -gt 0 ]; then echo “<result>True</result>" else echo "<result>False</result>" ﬁ else echo "<result>False</result>" ﬁ

© JAMF Software, LLC Jamf Pro Enforcement - Smart Group
AND/OR CRITERIA OPERATOR VALUE Smartcard-Mapping Is TRUE And Smartcard_Exempt Is Not 1

© JAMF Software, LLC Jamf Pro Enforcement - Scoping Smartcard
Authentication Configuration Profile Smartcard Enforce Configuration Profile Target All Managed Clients Smartcard-enforce Exclusion Smartcard-enforce None

© JAMF Software, LLC Jamf Pro But wait, there’s more!
• enforceSmartCard limited  to login, authorization,  and screensaver unlock • PAM Modules • SSH

© JAMF Software, LLC Jamf Pro PAM Modules • /etc/pam.d/sudo
• /etc/pam.d/login • /etc/pam.d/su • https://support.apple.com/en-us/HT208372

© JAMF Software, LLC #!/bin/bash pamSudo=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo) pamLogin=$(grep
-Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login) pamSu=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su) if [[ "$pamSudo" = "2" ]] && [[ "$pamLogin" = "2" ]] && [[ "$pamSu" = "2" ]]; then echo "<result>Compliant</result>" else echo "<result>Not Compliant</result>" fi Extension Attribute

© JAMF Software, LLC #!/bin/bash ssh_check=$(/usr/bin/grep -c ssh-keychain.dylib /etc/ssh/ssh_conﬁg) if
[[ "$ssh_check" > "0" ]]; then echo "<result>Enabled</result>" else echo "<result>Disabled</result>" ﬁ Extension Attribute

© JAMF Software, LLC Jamf Pro PIV Exemption • Lost,
damaged, stolen or forgotten • Need for quick remediation • Possibility user is off network • Modiﬁcation to Extension Attribute

© JAMF Software, LLC Smartcard Auth - Jamf Pro Services
Single Sign-On • Jamf Pro Server • Self Service • User Initiated Enrollments

© JAMF Software, LLC Third-Party Apps • Microsoft Outlook •
Adobe Acrobat Reader/Pro • Firefox • Pulse Secure • The list goes on and on… CTK Support???

© JAMF Software, LLC Future • FileVault • Derived credentials
• TouchID to unlock smartcard, after initial unlock • External disk/DMG/archive support Please Apple?

Don't Forget Your Badge!

Don't Forget Your Badge!

More Decks by Jamf

Other Decks in Technology

Featured

Transcript