Don't Forget Your Badge!

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
October 25, 2018

Don't Forget Your Badge!

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
Don't Forget Your Badge!

Presented by:
Allen Golbig, NASA
Matt Woodruff, Jamf

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

9d350fa2294e1192f8f12b0ebf1a1d8b?s=128

Jamf

October 25, 2018
Tweet

Transcript

  1. None
  2. © JAMF Software, LLC Allen Golbig Mac Systems Engineer Peerless

    Technologies @ NASA Matt Woodruff Sr. Systems Engineer Jamf
  3. © JAMF Software, LLC Don’t Forget Your Badge! Presentation agenda:

    Background check macOS smartcard configuration Using Jamf Pro to manage smartcards Where do we go next?
  4. © JAMF Software, LLC

  5. © JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC

    GRC HQ LaRC GSFC
  6. © JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC

    GRC HQ LaRC GSFC
  7. © JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC

    GRC HQ LaRC GSFC
  8. © JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC

    GRC HQ LaRC GSFC
  9. © JAMF Software, LLC ARC GSFC

  10. © JAMF Software, LLC GRC

  11. © JAMF Software, LLC

  12. © JAMF Software, LLC PIV Mandatory • HSPD-12 • OMB

    M-11-11 • FISMA CIO Metrics Requirements
  13. © JAMF Software, LLC PIV Mandatory Definition Managed By Machine

    Based Enforcement A user is required to use their PIV to authenticate to each device MDM User Based Enforcement A user’s network password is removed from their account MDM Directory Services
  14. © JAMF Software, LLC Smartcard Configuration

  15. © JAMF Software, LLC Smartcard Configuration • GUI-based • Can

    be scripted • Requires admin rights Pairing (Fixed Key Mapping)
  16. © JAMF Software, LLC

  17. © JAMF Software, LLC Smartcard Configuration • Scriptable • Works

    with AD accounts • Always takes precedence Attribute Mapping
  18. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  19. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  20. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  21. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  22. © JAMF Software, LLC Smartcard Configuration • Flexibility • Aligned

    us with other platforms • Works well with AD bound systems Why did we go with mapping?
  23. © JAMF Software, LLC TokenD DEPRECATED

  24. © JAMF Software, LLC • Third-party apps that lack CryptoTokenKit

    support • View your certificates in Keychain Access and change pin • Race conditions with CTK • man SmartCardServices-legacy TokenD Why do we still use it?
  25. © JAMF Software, LLC

  26. © JAMF Software, LLC Unbinding • Use Jamf Pro to

    apply management settings • Mitigate AD Risks • Get your kerberos ticket from Enterprise Connect PKI or Jamf Connect Why do you need Active Directory?
  27. © JAMF Software, LLC Enterprise Connect PKI • Apple Professional

    Services • Adds smartcard support 
 to Enterprise Connect • Apple supported • Does not work with LDAP
  28. © JAMF Software, LLC • Multiple Identities • CLI for

    getting kerberos ticket • Works with LDAP • So much more Jamf Connect
  29. © JAMF Software, LLC Configuration Profile

  30. © JAMF Software, LLC com.apple.security.smartcard • If false, users will

    not get the pairing dialog • Default: True UserPairing
  31. © JAMF Software, LLC com.apple.security.smartcard • If false, the smartcard

    is disabled for logins, authorizations and screensaver • Still allowed for other functions • Default: True allowSmartCard
  32. © JAMF Software, LLC com.apple.security.smartcard • 0 - certificate trust

    off • 1 - certificate trust on, no revocation checks • 2 - certificate trust on, soft revocation • 3 - certificate trust on, hard revocation checkCertificateTrust
  33. © JAMF Software, LLC com.apple.security.smartcard • If true, a user

    can only pair with one smartcard • Default: False oneCardPerUser
  34. © JAMF Software, LLC com.apple.security.smartcard • If true, a user

    can only login or authenticate with a smartcard • Default: False enforceSmartCard
  35. © JAMF Software, LLC com.apple.security.smartcard • If 1, screensaver will

    be enabled upon removal of smartcard • Default: 0 tokenRemovalAction
  36. © JAMF Software, LLC com.apple.loginwindow • If on, disables automatic

    login if FileVault is enabled, so that both an EFI Login and loginwindow password are required • Default: Off DisableFDEAutoLogin
  37. © JAMF Software, LLC What’s new in Mojave • Certificate

    Pinning • Performance Enhancements • NO MORE KEYCHAIN 
 PROMPTS!
  38. © JAMF Software, LLC

  39. © JAMF Software, LLC Jamf Pro • Mapping Process •

    Enforcement • Additional Requirements Overview
  40. © JAMF Software, LLC Jamf Pro Mapping Process • Get

    User Principal Name off card • Append UPN to user’s directory record • Add /etc/SmartcardLogin.plist
  41. © JAMF Software, LLC system_profiler SPSmartCardsDataType • Readers • Drivers

    (Reader, Tokend, CTK) • CERTIFICATES!!!
  42. © JAMF Software, LLC /usr/sbin/sc_auth identities | awk '/PIV/ {print

    $1}' \ | tr '[:upper:]' '[:lower:]' | sed 's/.\{8\}/& /g' | sed 's/.$//g' Getting PIV Auth Hash
  43. © JAMF Software, LLC af15f4c1 78e8d684 bac9eb6b 6b4c240d 5a6bb5e0

  44. © JAMF Software, LLC /usr/sbin/system_profiler SPSmartCardsDataType | grep -A5 "$hash"

    \ | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ \ {print; count++; if (count==3) exit}' | fold -w67 > /tmp/temp.pem Generating PIV Auth Cert
  45. © JAMF Software, LLC -----BEGIN CERTIFICATE----- MIIDAzCCAeugAwIBAgIJAJooOLDCGNUAMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV BAMMDXd3dy5qbnVjLjIwMTgwHhcNMTgwOTI1MTcwMzMzWhcNMjgwOTIyMTcwMzMz WjAYMRYwFAYDVQQDDA13d3cuam51Yy4yMDE4MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA7qX6lWABaR2uMxBEz/rl9Deukl047ilxeWJyTETKWO54AloU

    2YCEJh9KqWZIVHzR038d6MV8RedQjqRJAdLBDwUnJ+rQzbNAjfCUt1nT46OfrzkZ 5R1AIUNcSn9y4n6+cC4BEwCtO+q++X+SB68CVbxkzh5T7ZgNWti1r+GzUbS7x2nl Ownx+ATwcKzsi7/jGcM6nJkcgOY2DL7b6V7tLP1X785zlHpx8oTCmp29yj4NQHIv H4Vlt1+a2cZo8tcSDxCskZnT1LJY7Vvs1wpdXjKHvAx8O938TGnQaW9SeqUzJayK WKSYLAcah+884DehCQbirhSTDzWNIHvO64s6tQIDAQABo1AwTjAdBgNVHQ4EFgQU 38efDlnwJhZ9Zckna0QKhC0xfQwwHwYDVR0jBBgwFoAU38efDlnwJhZ9Zckna0QK hC0xfQwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAtY54XMdQJcri 4ONM6JMgjqp+d8N9fekO4qtInQiGnU4OcG4hiAePgA6kk1E0KCypcU4SnzRGO7WS Cjqc/x9y0Wp5ivKNq/RMkjFfUiuxqI3dbf1ZjbPlBijA8ch0WOk7KcOi65S1WAY6 WThtXc67hbwRQoWBpvcHQtx2J9zE/UPTE5VgkfeqkxIZBXYgdG6reIaFIldv29lO S8rVxrIcDsCrmZPohLCfNX1SC1WNDiFJGoszjYUZKnX0d81IzszG+WbIXn+pQVzC b0w3Tbtk6D60fC11eUPPqLfcAVZCq9x4+9lYb06ehZPASIiLsLXNTbQfi2z/rPBU QcS3HU1ARg== -----END CERTIFICATE-----
  46. © JAMF Software, LLC UPN="$(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem

    -strparse \ $(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem \ | awk -F ':' '/X509v3 Subject Alternative Name/ {getline; print $1}') \ | awk -F ':' '/UTF8STRING/{print $4}')" Getting UPN from Certificate
  47. © JAMF Software, LLC matt@jamf.com

  48. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TrustedAuthorities</key> <array> <string>SHA-256_HASH_GOES_HERE</string> </array> <key>AttributeMapping</key> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  49. © JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' <?xml

    version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TrustedAuthorities</key> <array> <string>SHA-256_HASH_GOES_HERE</string> </array> <key>AttributeMapping</key> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> </dict> </plist> Attr_Mapping
  50. © JAMF Software, LLC

  51. © JAMF Software, LLC /usr/bin/dscl . read /Users/matt AltSecurityIdentities AltSecurityIdentities:

    Kerberos:matt@jamf.com
  52. © JAMF Software, LLC

  53. © JAMF Software, LLC

  54. © JAMF Software, LLC Jamf Pro Enforcement • EAs &

    Smart Groups for Scoping • Apply enforceSmartCard key • PAM Modules, SSH • PIV Exemption
  55. © JAMF Software, LLC Jamf Pro Extension Attribute • Check

    status of AltSecurityIdentities • As well as /etc/SmartcardLogin.plist
  56. © JAMF Software, LLC #!/bin/bash if [ -f /etc/SmartcardLogin.plist ];

    then if [ $(for user in $(dscl . list /Users UniqueID | awk '$2 > 500 {print $1}'); do dscl . read /Users/$user AltSecurityIdentities 2>/dev/null | grep @jamf.com; done | wc -l) -gt 0 ]; then echo “<result>True</result>" else echo "<result>False</result>" fi else echo "<result>False</result>" fi
  57. © JAMF Software, LLC Jamf Pro Enforcement - Smart Group

    AND/OR CRITERIA OPERATOR VALUE Smartcard-Mapping Is TRUE And Smartcard_Exempt Is Not 1
  58. © JAMF Software, LLC Jamf Pro Enforcement - Scoping Smartcard

    Authentication Configuration Profile Smartcard Enforce Configuration Profile Target All Managed Clients Smartcard-enforce Exclusion Smartcard-enforce None
  59. © JAMF Software, LLC

  60. © JAMF Software, LLC

  61. © JAMF Software, LLC Jamf Pro But wait, there’s more!

    • enforceSmartCard limited
 to login, authorization,
 and screensaver unlock • PAM Modules • SSH
  62. © JAMF Software, LLC Jamf Pro PAM Modules • /etc/pam.d/sudo

    • /etc/pam.d/login • /etc/pam.d/su • https://support.apple.com/en-us/HT208372
  63. © JAMF Software, LLC #!/bin/bash pamSudo=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo) pamLogin=$(grep

    -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login) pamSu=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su) if [[ "$pamSudo" = "2" ]] && [[ "$pamLogin" = "2" ]] && [[ "$pamSu" = "2" ]]; then echo "<result>Compliant</result>" else echo "<result>Not Compliant</result>" fi Extension Attribute
  64. © JAMF Software, LLC Jamf Pro SSH • /etc/ssh/sshd_config •

    /etc/ssh/ssh_config • https://support.apple.com/en-us/HT208372
  65. © JAMF Software, LLC #!/bin/bash ssh_check=$(/usr/bin/grep -c ssh-keychain.dylib /etc/ssh/ssh_config) if

    [[ "$ssh_check" > "0" ]]; then echo "<result>Enabled</result>" else echo "<result>Disabled</result>" fi Extension Attribute
  66. © JAMF Software, LLC Jamf Pro PIV Exemption • Lost,

    damaged, stolen or forgotten • Need for quick remediation • Possibility user is off network • Modification to Extension Attribute
  67. © JAMF Software, LLC Smartcard Auth - Jamf Pro Services

    Single Sign-On • Jamf Pro Server • Self Service • User Initiated Enrollments
  68. © JAMF Software, LLC

  69. © JAMF Software, LLC

  70. © JAMF Software, LLC

  71. © JAMF Software, LLC FIPS Compliant!

  72. © JAMF Software, LLC Third-Party Apps • Microsoft Outlook •

    Adobe Acrobat Reader/Pro • Firefox • Pulse Secure • The list goes on and on… CTK Support???
  73. © JAMF Software, LLC Future • FileVault • Derived credentials

    • TouchID to unlock smartcard, after initial unlock • External disk/DMG/archive support Please Apple?
  74. © JAMF Software, LLC File your radars!

  75. © JAMF Software, LL THANK YOU!