Catalina - Configure User Session Lock When a Smart Token is Removed

Information

The screen lock _MUST_ be configured to initiate automatically when the smart token is removed from the system.

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.

[IMPORTANT]
====
Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization.
====

Solution

This is implemented by a Configuration Profile.

mobileconfig profile info:

com.apple.security.smartcard:
tokenRemovalAction:
1

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11, 800-53|AC-11a., CCE|CCE-84848-1, CCI|CCI-000058, STIG-ID|AOSX-15-000005

Plugin: Unix

Control ID: 2d81740df60f2a5912c164a807d5ff7688fbde17589c6b03f2b77b1a1a2954d4