Paul,
This has been a point of contention on this list, so I can understand your confusion and the unfortunate statements made by your fellow DOIM folks. This message is probably longer than you would like or need, but I feel it is important to clarify the critical points to help you and hopefully this will help others on this list that may have a similar situation.
- Mac OS X is the only OS that offers Out-of-Box support for CAC/PIV across multiple OS Services
- This is extensive, but currently lacks PKINIT (Single Sign-On to a Directory Service)
- This is the missing piece that your DOIM folks were referencing
- Thursby's "ADmitMac for CAC" was chosen by the Army for the Army Golden Master (AGM)
- On the Army Network, you would need to use the AGM
- This product provides PKINIT (SSO to AD with CAC) among other things
- This replaces several of the components provided by Apple (CCID Driver / CAC Tokend)
- All Non-AD Bound Macs (i.e. home systems) have everything built-in for full use of the Smart Card
- There are TWO built-in methods for Authenticating from Smart Cards to any DS accessible to Mac OS X:
- PubKeyHash
- Attribute Matching
- Service supported with a CAC:
- FileVault, Screen Unlock, System Prefs
- Mail, Safari
- VPN (IPSec, L2TP, PPTP), 802.1X
- Code Signing
- Keychain Access
- Access by PKCS#11-based Apps (i.e. Firefox, Thinderbird, etc...)
- Snow Leopard (10.6.x) now also provides access to supported Smart Cards without the need for any additional software.
- This PKCS#11Shim won't support writing data to the card.
- Located at: /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
- MS does not currently provide Out-of-Box support for CAC/PIV for Login either
- Window's based PCs ALL require 3rd-party middleware to provide SSO to AD with CAC/PIV
- MS provides PKINIT, but lacks the native support for the CAC/PIV
It is correct to say that both operating systems currently require additional third-party pieces for full SSO to AD with CAC.
To clarify an incorrect statement made on this thread...
This is not true: "Only CAC middleware is built-in, and only smartcard logon to local accounts"
This is true: Mac OS X provides native support for much more than just CAC and is not limited to local accounts!
For those who care about the technical background on this: Mac OS X provides integrated Smart Card Services (CCID Reader / Applet integration) and supports Smart Card specifications through the appropriate "module" (Tokend). Any supported Smart Card (including of course commercially available cards) can be used for authentication (using one of the two methods noted above) to any Directory Service supported by Mac OS X. Note that cryptographic "Authentication" is supported, but that is not the same as "Single Sign-on" which leverages the X.509-based Authentication process to transparently acquire a Kerberos TGT.
Apple provides native support with a Tokend for each of the following card types and is installed at:
/System/Library/Security/tokend/
BELPIC.tokend CAC.tokend JPKI.tokend PIV.tokend
DoD uses CAC for now (will be a dual-applet CAC-II/PIVTrans in the future) Rest of the Federal Government uses (or is migrating towards using) the PIV specification
-Shawn
On Sep 23, 2009, at 11:21 AM, Villano, Paul Mr CIV USA TRADOC wrote: I was given a verbal denial by one of our IMO folks for the MacBook Pro I requested because "DOIM doesn't support it." I asked for that in writing so I could pursue an exception to policy and was told that there was no point in pursuing an exception to policy because DOIM just said no. I asked why they said no and she said "because MacBook Pros don't support CAC login."
That seemed wrong on several levels. First, because I specifically asked that question of the Apple representative at LandWarNet (if anyone has her contact info I'd appreciate it...short female) in the presence of this IMO rep and it was my understanding that not only was CAC supported but that the software is native to the Mac OSX operating system.
Second because I think I've seen a lot of traffic on this list about how to log on with CAC.
Third because MBPs are used throughout DoD including the Pentagon and I don't think they'd use them if they couldn't use a CAC card with them.
Fourth because I explained in my justification that I don't need it on the network anyway, just as a replacement for a laptop that's not on the network.
What am I not understanding? If someone can give me some info to pursue an exception to policy for this I'd appreciate it. I'm going to continue to pursue getting something in writing from DOIM though between us I don't believe it ever made it that far and think my justification was used for someone else to get a MBP for "testing" purposes. But I'm just sayin...
If you have anything I can use for an exception to policy for this or any other concerns or especially if you are in a position of authority to get this through (through channels of course) and can advise me how to proceed I'd appreciate hearing from you.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|