Search MilitaryCAC:

Site Map

MilitaryCAC.com logo

.com | .us | .ml  | .mobi | .net | .org


The Definitive Source for Everything CAC

Common Access Card help for your

Personal Mac Computer

Also available at:

https://MilitaryCAC.com

Please ShareThis website with your friends and colleagues

Make a Donation button image

 

 

APPLE DEPRECATES SMART CARD SERVICES IN OS X LION (10.7.x)

 
 

Update, Apple is trying built in Smart Card Services again in Mac OS Sierra

 

 

Date: July 20, 2011 12:18:40 PM CDT

To: Fed Talk

Subject: [Fed-Talk] [Announcement] OS X Lion - Smart Card Services

The following was an announcement Shawn Geddes sent out on 20 July 2011 to customers using Smart Cards on Mac OS X.  I share it here for completeness and clarity to MacOSForge's continuing open source development and user community.

 

MacOSForge's SmartCardServices project is continuing, but Apple has had to make changes with respect to what is ships in OS X

 
Smart Card Services and the ability to develop support for a multitude of Smart Card devices and profiles based on CDSA/Tokend has been available in OS X since version 10.4.  Approximately two years ago, Apple officially moved the already open sourced components to an organized open source project at MacOSForge.org which has been lead by Shawn Geddes, Enterprise Security Consulting Engineer with involvement from key leads within the open source community.  This project has driven the ongoing development and support for additional readers and smart card profiles which were then incorporated into OS X 10.5 through 10.6.  *See "Previous Updates.." below.

As Apple continues to drive innovation in the mobility space, it is necessary to continually reevaluate how OS services can be enhanced to better serve Apple's customer base.  Apple has had to make some tough decisions relating to the current Smart Card Services architecture.  

 OS X Lion Support ?

With the release of OS X Lion, Smart Card Services are deprecated and will not ship as a customer functioning service.  That does not mean that customers will be unable to continue to use their Smart Cards with OS X Lion.  It does mean that all of the necessary components will not come pre-shipped in OS X Lion along with related support. Customers needing to continue to use their Smart Cards with OS X Lion will need to pursue one of the options mentioned here later according to their needs and requirements.

 Why the change ?

The foundational components for Smart Card Services in OS X have been based on an architecture (CDSA) that has been deprecated in the released version of OS X Lion.  This indicates CDSA's use and support has stopped and will be removed completely in a future release of OS X.  Any solution for OS X still leveraging the deprecated CDSA can continue to function for now, but the CDSA infrastructure would no longer receive enhancements or bug fixes.  CDSA will no longer ship in future releases of OS X. 

 Apple clarified the migration from CDSA for developers during the WWDC 2011 Conference in San Francisco (June 6-10) during the "Next Generation Cryptographic Services" Session 212.  [Those with developer access can view the Conference Videos via ADC on iTunes.]

 What was changed ?

The Smart Card Services deprecation was limited to the following components no longer shipping in OS X. 

  • No Tokend modules ship with OS X Lion (10.7)
    • Directory:                  /System/Library/Security/tokend/
  • Authorization Mechanism reference missing
    • /etc/authorization       is the authorization database 
    • Right:                         system.login.console
    • mechanism:                builtin:smartcard-sniffer,privileged

 Options Going Forward

Apple's need to deprecate what was there and focus on innovative approaches to solving the digital identity challenges on both OS X and iOS moving forward does not preclude customers from using Smart Cards on OS X 10.6 and even on 10.7.  Any developer / user is expected to be able to continue to use their Smart Cards on OS X 10.6 & 10.7 as long as they have a supported Tokend for the Smart Card profile installed.  This would require a non-Apple provided Installer.

 Commercial Options (PKard by Thursby Software), (Charismathics Smart Security Interface (CSSI-PIV)), and (Centrify Express)

If the Tokend was independently developed, installation on 10.7 is expected to continue working given any additional configuration that may need to be done such as authorization database update, but again with no guarantee or support from Apple.  There have been a handful of commercially available products with more complete implementations and purchasable support contracts which many Federal/Commercial customers prefer.  Each of the commercial products available has a particular target market and list of supported Smart Cards and Tokens.

 

Open Source Options (SmartCard Services Update v2.0b1), (Copying 2 files), or (CACkey)

The MacOSForge.Org - SmartCardServices Project has provided the actual supported versions for 10.5 & 10.6 and now provides that capability for Lion (10.7.x) and Mountain Lion (10.8.x).  The Project participants plan to post additional installers for customers to have the continued capabilities as were there in OS X 10.6.x for as long as is technically feasible - with no guarantee of compatibility with future releases of OS X.  If the Tokend was previously shipped as part of OS X, then updates would need to be obtained here from the SmartCardServices Project (BELPIC, CAC, CACNG, PIV).

 What option is for me ?

Apple encourages all customers to pursue the option above that best suites their technical and support needs.  Both options have their own pros and cons, so you will need to weigh them against your organizational and personal needs.

ALL Smart Card related questions, comments, bug submissions should be targeted at one of the above options.  

Smart Card Services on OS X based on CDSA is no longer supported by Apple starting with OS X Lion 10.7.

 -Shawn
__________________________________________________
 
MacOSForge Project Lead: Smart Card Services 

Previous Updates provided from the SmartCardServices Project on MacOSForge.Org:

http://smartcardservices.macosforge.org/

 

Work continues under the MacOSForge Open Source Project

Any discussion, requests, bug reports, etc. should all be directed to the appropriate Mailing Lists on MacOSForge.Org if that is your chosen option mentioned earlier.  The disclaimer here is that, from this point forward, all work provided by the Project in whatever form will not ship in a future release of OS X, but will be provided as an available open source resource.

             Web:    http://smartcardservices.macosforge.org/
            Lists:   http://lists.macosforge.org/mailman/listinfo

 

 If you have questions or suggestions for this site, contact Michael J. Danberry
Are you interested in subscribing to the CACNews email list?

Disclaimer

 

ACRONYM Reference Page

 

GoDaddy Site Certified seal

 

Last Update or Review:  Saturday, 11 March 2017 12:02 hrs

 

The following domain names all resolve to the same website:  ChiefsCACSite.com, CommonAccessCard.us, CommonAccessCard.info, & ChiefGeek.us