search cancel

PIV/PKI Integration on MacOS Catalina or higher

book

Article ID: 226855

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When logging into a PAM Server with PKI/PIV enabled - the PAM Client doesn't load the PKI/PIV Certificates to choose -> therefore no one can use this integration.

Environment

Release : 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

Starting with MacOS Catalina and higher, you no longer have to use 3rd party software enabler like PKcard, CSSI, OpenSC or CACKey.

MacOS now uses -> com.apple.CryptoTokenKit.pivtoken which enables PKI/PIV cards out of the box.

Therefore if you use one of these enablers, you must uninstall per:

https://militarycac.com/macuninstall.htm

Resolution

In PAM 3.4.5 - we updated our PAM Client (jxplorer) which includes support for the integration with apple's com.apple.CryptoTokenKit.pivtoken PKI/PIV card reader.