Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

© JAMF Software, LLC Allen Golbig Mac Systems Engineer Peerless Technologies @ NASA Matt Woodruff Sr. Systems Engineer Jamf

Slide 3

Slide 3 text

© JAMF Software, LLC Don’t Forget Your Badge! Presentation agenda: Background check macOS smartcard configuration Using Jamf Pro to manage smartcards Where do we go next?

Slide 4

Slide 4 text

© JAMF Software, LLC

Slide 5

Slide 5 text

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC GRC HQ LaRC GSFC

Slide 6

Slide 6 text

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC GRC HQ LaRC GSFC

Slide 7

Slide 7 text

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC GRC HQ LaRC GSFC

Slide 8

Slide 8 text

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC GRC HQ LaRC GSFC

Slide 9

Slide 9 text

© JAMF Software, LLC ARC GSFC

Slide 10

Slide 10 text

© JAMF Software, LLC GRC

Slide 11

Slide 11 text

© JAMF Software, LLC

Slide 12

Slide 12 text

© JAMF Software, LLC PIV Mandatory • HSPD-12 • OMB M-11-11 • FISMA CIO Metrics Requirements

Slide 13

Slide 13 text

© JAMF Software, LLC PIV Mandatory Definition Managed By Machine Based Enforcement A user is required to use their PIV to authenticate to each device MDM User Based Enforcement A user’s network password is removed from their account MDM Directory Services

Slide 14

Slide 14 text

© JAMF Software, LLC Smartcard Configuration

Slide 15

Slide 15 text

© JAMF Software, LLC Smartcard Configuration • GUI-based • Can be scripted • Requires admin rights Pairing (Fixed Key Mapping)

Slide 16

Slide 16 text

© JAMF Software, LLC

Slide 17

Slide 17 text

© JAMF Software, LLC Smartcard Configuration • Scriptable • Works with AD accounts • Always takes precedence Attribute Mapping

Slide 18

Slide 18 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 19

Slide 19 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 20

Slide 20 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 21

Slide 21 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 22

Slide 22 text

© JAMF Software, LLC Smartcard Configuration • Flexibility • Aligned us with other platforms • Works well with AD bound systems Why did we go with mapping?

Slide 23

Slide 23 text

© JAMF Software, LLC TokenD DEPRECATED

Slide 24

Slide 24 text

© JAMF Software, LLC • Third-party apps that lack CryptoTokenKit support • View your certificates in Keychain Access and change pin • Race conditions with CTK • man SmartCardServices-legacy TokenD Why do we still use it?

Slide 25

Slide 25 text

© JAMF Software, LLC

Slide 26

Slide 26 text

© JAMF Software, LLC Unbinding • Use Jamf Pro to apply management settings • Mitigate AD Risks • Get your kerberos ticket from Enterprise Connect PKI or Jamf Connect Why do you need Active Directory?

Slide 27

Slide 27 text

© JAMF Software, LLC Enterprise Connect PKI • Apple Professional Services • Adds smartcard support 
 to Enterprise Connect • Apple supported • Does not work with LDAP

Slide 28

Slide 28 text

© JAMF Software, LLC • Multiple Identities • CLI for getting kerberos ticket • Works with LDAP • So much more Jamf Connect

Slide 29

Slide 29 text

© JAMF Software, LLC Configuration Profile

Slide 30

Slide 30 text

© JAMF Software, LLC com.apple.security.smartcard • If false, users will not get the pairing dialog • Default: True UserPairing

Slide 31

Slide 31 text

© JAMF Software, LLC com.apple.security.smartcard • If false, the smartcard is disabled for logins, authorizations and screensaver • Still allowed for other functions • Default: True allowSmartCard

Slide 32

Slide 32 text

© JAMF Software, LLC com.apple.security.smartcard • 0 - certificate trust off • 1 - certificate trust on, no revocation checks • 2 - certificate trust on, soft revocation • 3 - certificate trust on, hard revocation checkCertificateTrust

Slide 33

Slide 33 text

© JAMF Software, LLC com.apple.security.smartcard • If true, a user can only pair with one smartcard • Default: False oneCardPerUser

Slide 34

Slide 34 text

© JAMF Software, LLC com.apple.security.smartcard • If true, a user can only login or authenticate with a smartcard • Default: False enforceSmartCard

Slide 35

Slide 35 text

© JAMF Software, LLC com.apple.security.smartcard • If 1, screensaver will be enabled upon removal of smartcard • Default: 0 tokenRemovalAction

Slide 36

Slide 36 text

© JAMF Software, LLC com.apple.loginwindow • If on, disables automatic login if FileVault is enabled, so that both an EFI Login and loginwindow password are required • Default: Off DisableFDEAutoLogin

Slide 37

Slide 37 text

© JAMF Software, LLC What’s new in Mojave • Certificate Pinning • Performance Enhancements • NO MORE KEYCHAIN 
 PROMPTS!

Slide 38

Slide 38 text

© JAMF Software, LLC

Slide 39

Slide 39 text

© JAMF Software, LLC Jamf Pro • Mapping Process • Enforcement • Additional Requirements Overview

Slide 40

Slide 40 text

© JAMF Software, LLC Jamf Pro Mapping Process • Get User Principal Name off card • Append UPN to user’s directory record • Add /etc/SmartcardLogin.plist

Slide 41

Slide 41 text

© JAMF Software, LLC system_profiler SPSmartCardsDataType • Readers • Drivers (Reader, Tokend, CTK) • CERTIFICATES!!!

Slide 42

Slide 42 text

© JAMF Software, LLC /usr/sbin/sc_auth identities | awk '/PIV/ {print $1}' \ | tr '[:upper:]' '[:lower:]' | sed 's/.\{8\}/& /g' | sed 's/.$//g' Getting PIV Auth Hash

Slide 43

Slide 43 text

© JAMF Software, LLC af15f4c1 78e8d684 bac9eb6b 6b4c240d 5a6bb5e0

Slide 44

Slide 44 text

© JAMF Software, LLC /usr/sbin/system_profiler SPSmartCardsDataType | grep -A5 "$hash" \ | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ \ {print; count++; if (count==3) exit}' | fold -w67 > /tmp/temp.pem Generating PIV Auth Cert

Slide 45

Slide 45 text

© JAMF Software, LLC -----BEGIN CERTIFICATE----- MIIDAzCCAeugAwIBAgIJAJooOLDCGNUAMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV BAMMDXd3dy5qbnVjLjIwMTgwHhcNMTgwOTI1MTcwMzMzWhcNMjgwOTIyMTcwMzMz WjAYMRYwFAYDVQQDDA13d3cuam51Yy4yMDE4MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA7qX6lWABaR2uMxBEz/rl9Deukl047ilxeWJyTETKWO54AloU 2YCEJh9KqWZIVHzR038d6MV8RedQjqRJAdLBDwUnJ+rQzbNAjfCUt1nT46OfrzkZ 5R1AIUNcSn9y4n6+cC4BEwCtO+q++X+SB68CVbxkzh5T7ZgNWti1r+GzUbS7x2nl Ownx+ATwcKzsi7/jGcM6nJkcgOY2DL7b6V7tLP1X785zlHpx8oTCmp29yj4NQHIv H4Vlt1+a2cZo8tcSDxCskZnT1LJY7Vvs1wpdXjKHvAx8O938TGnQaW9SeqUzJayK WKSYLAcah+884DehCQbirhSTDzWNIHvO64s6tQIDAQABo1AwTjAdBgNVHQ4EFgQU 38efDlnwJhZ9Zckna0QKhC0xfQwwHwYDVR0jBBgwFoAU38efDlnwJhZ9Zckna0QK hC0xfQwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAtY54XMdQJcri 4ONM6JMgjqp+d8N9fekO4qtInQiGnU4OcG4hiAePgA6kk1E0KCypcU4SnzRGO7WS Cjqc/x9y0Wp5ivKNq/RMkjFfUiuxqI3dbf1ZjbPlBijA8ch0WOk7KcOi65S1WAY6 WThtXc67hbwRQoWBpvcHQtx2J9zE/UPTE5VgkfeqkxIZBXYgdG6reIaFIldv29lO S8rVxrIcDsCrmZPohLCfNX1SC1WNDiFJGoszjYUZKnX0d81IzszG+WbIXn+pQVzC b0w3Tbtk6D60fC11eUPPqLfcAVZCq9x4+9lYb06ehZPASIiLsLXNTbQfi2z/rPBU QcS3HU1ARg== -----END CERTIFICATE-----

Slide 46

Slide 46 text

© JAMF Software, LLC UPN="$(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem -strparse \ $(/usr/bin/openssl asn1parse -i -dump -in /tmp/temp.pem \ | awk -F ':' '/X509v3 Subject Alternative Name/ {getline; print $1}') \ | awk -F ':' '/UTF8STRING/{print $4}')" Getting UPN from Certificate

Slide 47

Slide 47 text

© JAMF Software, LLC [email protected]

Slide 48

Slide 48 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' TrustedAuthorities SHA-256_HASH_GOES_HERE AttributeMapping fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 49

Slide 49 text

© JAMF Software, LLC /bin/cat > "/etc/SmartcardLogin.plist" << 'Attr_Mapping' TrustedAuthorities SHA-256_HASH_GOES_HERE AttributeMapping fields NT Principal Name formatString Kerberos:$1 dsAttributeString dsAttrTypeStandard:AltSecurityIdentities Attr_Mapping

Slide 50

Slide 50 text

© JAMF Software, LLC

Slide 51

Slide 51 text

© JAMF Software, LLC /usr/bin/dscl . read /Users/matt AltSecurityIdentities AltSecurityIdentities: Kerberos:[email protected]

Slide 52

Slide 52 text

© JAMF Software, LLC

Slide 53

Slide 53 text

© JAMF Software, LLC

Slide 54

Slide 54 text

© JAMF Software, LLC Jamf Pro Enforcement • EAs & Smart Groups for Scoping • Apply enforceSmartCard key • PAM Modules, SSH • PIV Exemption

Slide 55

Slide 55 text

© JAMF Software, LLC Jamf Pro Extension Attribute • Check status of AltSecurityIdentities • As well as /etc/SmartcardLogin.plist

Slide 56

Slide 56 text

© JAMF Software, LLC #!/bin/bash if [ -f /etc/SmartcardLogin.plist ]; then if [ $(for user in $(dscl . list /Users UniqueID | awk '$2 > 500 {print $1}'); do dscl . read /Users/$user AltSecurityIdentities 2>/dev/null | grep @jamf.com; done | wc -l) -gt 0 ]; then echo “True" else echo "False" fi else echo "False" fi

Slide 57

Slide 57 text

© JAMF Software, LLC Jamf Pro Enforcement - Smart Group AND/OR CRITERIA OPERATOR VALUE Smartcard-Mapping Is TRUE And Smartcard_Exempt Is Not 1

Slide 58

Slide 58 text

© JAMF Software, LLC Jamf Pro Enforcement - Scoping Smartcard Authentication Configuration Profile Smartcard Enforce Configuration Profile Target All Managed Clients Smartcard-enforce Exclusion Smartcard-enforce None

Slide 59

Slide 59 text

© JAMF Software, LLC

Slide 60

Slide 60 text

© JAMF Software, LLC

Slide 61

Slide 61 text

© JAMF Software, LLC Jamf Pro But wait, there’s more! • enforceSmartCard limited
 to login, authorization,
 and screensaver unlock • PAM Modules • SSH

Slide 62

Slide 62 text

© JAMF Software, LLC Jamf Pro PAM Modules • /etc/pam.d/sudo • /etc/pam.d/login • /etc/pam.d/su • https://support.apple.com/en-us/HT208372

Slide 63

Slide 63 text

© JAMF Software, LLC #!/bin/bash pamSudo=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo) pamLogin=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login) pamSu=$(grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su) if [[ "$pamSudo" = "2" ]] && [[ "$pamLogin" = "2" ]] && [[ "$pamSu" = "2" ]]; then echo "Compliant" else echo "Not Compliant" fi Extension Attribute

Slide 64

Slide 64 text

© JAMF Software, LLC Jamf Pro SSH • /etc/ssh/sshd_config • /etc/ssh/ssh_config • https://support.apple.com/en-us/HT208372

Slide 65

Slide 65 text

© JAMF Software, LLC #!/bin/bash ssh_check=$(/usr/bin/grep -c ssh-keychain.dylib /etc/ssh/ssh_config) if [[ "$ssh_check" > "0" ]]; then echo "Enabled" else echo "Disabled" fi Extension Attribute

Slide 66

Slide 66 text

© JAMF Software, LLC Jamf Pro PIV Exemption • Lost, damaged, stolen or forgotten • Need for quick remediation • Possibility user is off network • Modification to Extension Attribute

Slide 67

Slide 67 text

© JAMF Software, LLC Smartcard Auth - Jamf Pro Services Single Sign-On • Jamf Pro Server • Self Service • User Initiated Enrollments

Slide 68

Slide 68 text

© JAMF Software, LLC

Slide 69

Slide 69 text

© JAMF Software, LLC

Slide 70

Slide 70 text

© JAMF Software, LLC

Slide 71

Slide 71 text

© JAMF Software, LLC FIPS Compliant!

Slide 72

Slide 72 text

© JAMF Software, LLC Third-Party Apps • Microsoft Outlook • Adobe Acrobat Reader/Pro • Firefox • Pulse Secure • The list goes on and on… CTK Support???

Slide 73

Slide 73 text

© JAMF Software, LLC Future • FileVault • Derived credentials • TouchID to unlock smartcard, after initial unlock • External disk/DMG/archive support Please Apple?

Slide 74

Slide 74 text

© JAMF Software, LLC File your radars!

Slide 75

Slide 75 text

© JAMF Software, LL THANK YOU!