PIV/PKI Integration on MacOS Catalina or higher

book

Article ID: 226855

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When logging into a PAM Server with PKI/PIV enabled - the PAM Client doesn't load the PKI/PIV Certificates to choose -> therefore no one can use this integration.

Cause

Starting with MacOS Catalina and higher, you no longer have to use 3rd party software enabler like PKcard, CSSI, OpenSC or CACKey.

MacOS now uses -> com.apple.CryptoTokenKit.pivtoken which enables PKI/PIV cards out of the box.

Therefore if you use one of these enablers, you must uninstall per:

https://militarycac.com/macuninstall.htm

Environment

Release : 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

In PAM 3.4.5 - we updated our PAM Client (jxplorer) which includes support for the integration with apple's com.apple.CryptoTokenKit.pivtoken PKI/PIV card reader.