Gemalto Smart Card Reader Driver For Mac

Client devices that use a smart card for user authentication must meet certain requirements.

Client Hardware and Software Requirements

Each client machine that uses a smart card for user authentication must have the following hardware and software.

  • Gemalto s digital driver's license pilot live action. Idbridge ct30 smart card reader driver 4. For the best experience on our site, be sure to turn on javascript in your browser. Download drivers for gemalto usb smart card reader card readers windows 10 x64, or install driverpack solution software for automatic driver download and update.
  • Best Mac Compatible CAC USB Readers. Best Mac Compatible CAC Desk Readers. Step 2: Plug in and Ensure It’s Accepted. Once you have your CAC reader, plug it into your Mac and ensure your computer recognizes it. If you have one of the CAC readers we suggested above, then you should be good to go. If for some reason your CAC reader isn’t.

Slimline design, tamper-evident smart card reader. Mac OS X Tiger PC/SC driver updated: 2018-03-24 09:57:47. IDBridge CT40 for Windows 98, 98se.

  • Horizon Client
  • A compatible smart card reader
  • Product-specific application drivers

Users must have a smart card, and each smart card must contain a user certificate. The following smart cards are supported.

  • U.S. Department of Defense Common Access Card (CAC)
  • U.S. Federal Government Personal Identity Verification (PIV) card (also called FIPS-201 smart cards)
  • Gemalto .NET card
  • Gemalto IDPrime MD card

For CAC and PIV cards, Horizon Client uses the CryptoTokenKit smart card driver by default and you do not need to install any middleware.

For Gemalto .NET cards, install the correct SafeNet Authentication Client version for your macOS version. Gemalto SafeNet Authentication Client supports both CryptoTokenKit and TokenD smart card drivers for Gemalto .NET smart cards.

You can also use the following third-party smart card drivers with CAC and PIV cards.

  • PKard for Mac v1.7 and v1.7.1
  • Charismathics (CCSI_5.0.3_PIV)
  • Centrify Express

To use a third-party smart card driver, you must disable the CryptoTokenKit smart card driver. For more information, see Disabling the CryptoTokenKit Smart Card Driver.

Agent Software Requirements

Gemalto Drivers Download

A Horizon administrator must install product-specific application drivers on the agent machine.

With PIV cards, the operating system installs the related driver when you insert a smart card reader and PIV card for a Windows 7 virtual desktop. The following agent drivers are supported for PIV cards for Windows 7 virtual desktops.

  • Charismathics (CSTC PIV 5.2.2)
  • Microsoft minidriver
  • ActivClient 6.x

The following agent drivers are supported for PIV cards for Windows 10 virtual desktops.

  • Charismathics (CSTC PIV 5.2.2)
  • ActivClient 7.x

For Gemalto .NET cards, the Gemalto Minidriver for .NET Smart Card driver is supported.

Gemalto Smart Card Reader Driver For Mac Free

Enabling the Username Hint Field in Horizon Client

In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they use a smart card to authenticate.

To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature for the Connection Server instance in Horizon Console. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the VMware Horizon Console Administration document.

Gemalto Smart Card Reader Driver

If your environment uses a Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.

Note:Horizon Client supports single-account smart card certificates, even when the smart card user name hints feature is enabled.

Additional Smart Card Authentication Requirements

Hp smart card reader driver

In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.

Mac
Connection Server and security server hosts
A Horizon administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server host or security server host. These certificates include root certificates and must include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

When you generate a certificate for a blank PIV card, enter the path to the server truststore file on the Connection Server or security server host on the Crypto Provider tab in the PIV Data Generator tool.

For information about configuring Connection Server to support smart card use, see the VMware Horizon Console Administration document.

Active Directory
For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the VMware Horizon Console Administration document.

This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.

Enable smart card-only login

Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.

  1. Pair a smart card to an admin user account or configure Attribute Matching.
  2. If you’ve enabled strict certificate checks, install any root certificates or intermediates that are required.
  3. Confirm that you can log in to an administrator account using a smart card.
  4. Install a smart-card configuration profile that includes '<key>enforceSmartCard</key><true/>,' as shown in the smart card-only configuration profile below.
  5. Confirm that you can still log in using a smart card.

For more information about smart card payload settings, see the Apple Configuration Profile Reference.

For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter man SmartCardServices.

Disable smart card-only authentication

If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter man profiles.

If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.

To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.

If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:

  1. Turn on your Mac, then immediately press and hold Command-R to start up from macOS Recovery. Release the keys when you see the Apple logo, a spinning globe, or a prompt for a firmware password.
  2. Select Disk Utility from the Utilities window, then click Continue.
  3. From the Disk Utility sidebar, select the volume that you're using, then choose File > Mount from the menu bar. (If the volume is already mounted, this option is dimmed.) Then enter your administrator password when prompted.
  4. Quit Disk Utility.
  5. Choose Terminal from the Utilities menu in the menu bar.
  6. Delete the Configuration Profile Repository. To do this, open Terminal and enter the following commands.
    In these commands, replace <volumename> with the name of the macOS volume where the profile settings were installed.
    rm /Volumes/<volumename>/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist
    rm /Volumes/<volumename>/var/db/ConfigurationProfiles/.profilesAreInstalled
    rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
    rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
    rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Setup/.profileSetupDone
  7. When done, choose Apple () menu > Restart.
  8. Reinstall all the configuration profiles that existed before you enabled smart card-only authentication.

Configure Secure Shell Daemon (SSHD) to support smart card-only authentication

Gemalto smart card reader driver for mac free

Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.

Update the /etc/ssh/sshd_config file:

  1. Use the following command to back up the sshd_config file:
    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date '+%Y-%m-%d_%H:%M'`
  2. In the sshd_config file, change '#ChallengeResponseAuthentication yes' to 'ChallengeResponseAuthentication no' and change '#PasswordAuthentication yes' to '#PasswordAuthentication no.'

Gemalto Smart Card Software

Then, use the following commands to restart SSHD:

sudo launchctl stop com.openssh.sshd

sudo launchctl start com.openssh.sshd

If a user wants to authenticate SSH sessions using a smart card, have them follow these steps:

  1. Use the following command to export the public key from their smart card:
    ssh-keygen -D /usr/lib/ssh-keychain.dylib
  2. Add the public key from the previous step to the ~/.ssh/authorized_keys file on the target computer.
  3. Use the following command to back up the ssh_config file:
    sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config_backup_`date '+%Y-%m-%d_%H:%M'`
  4. In the/etc/ssh/ssh_config file, add the line 'PKCS11Provider=/usr/lib/ssh-keychain.dylib.'
For

If the user wants to, they can also use the following command to add the private key to their ssh-agent:

ssh-add -s /usr/lib/ssh-keychain.dylib

Enable smart card-only for the SUDO command

Use the following command to back up the /etc/pam.d/sudo file:

sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date '+%Y-%m-%d_%H:%M'`

Gemalto Smart Card Reader Driver For Mac

Then, replace all of the contents of the /etc/pam.d/sudo file with the following text:

Enable smart card-only for the LOGIN command

Use the following command to back up the /etc/pam.d/login file:

Gemalto Smart Card Reader Driver For Mac Windows 10

sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date '+%Y-%m-%d_%H:%M'`

Then, replace all of the contents of the/etc/pam.d/login file with the following text:

Enable smart card-only for the SU command

Use the following command to back up the /etc/pam.d/su file:

Gemalto Usb Card Reader Driver

sudo cp /etc/pam.d/su /etc/pam.d/su_backup_`date '+%Y-%m-%d_%H:%M'`

Then, replace all of the contents of the/etc/pam.d/su file with the following text:

Sample smart card-only configuration profile

Here’s a sample smart card-only configuration profile. You can use it to see the kinds of keys and strings that this type of profile includes.