You can disable certificate bootstrapping and CRL downloading and distribute these items to Authentication Services clients by other means, such as Group Policy.
To disable bootstrap and manage certificates and CRLs manually
[pkinit] auto-crl-download = false auto-crl-removal = false bootstrap-trusted-certs = false
The ability to lock the screen saver when a token is removed is a feature and function of the macOS screen saver.
To enforce this setting using Mac OS X Group Policy
Navigate to User Configuration | Mac OS X Settings | Preference Manifests | Screen Saver Security from the Windows administrative machine that has the Authentication Services components installed.
Set the following settings to ensure that the screen saver becomes locked and stays locked once the smart card is removed:
After you install and configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.
This procedure tests the Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.
To test the Authentication Services for Smart Cards installation
vastool smartcard test all
If the card is configured correctly, it displays output similar to the following:
Config: ------- Checking that a PKCS#11 library is specified ... ok (Specifying PKCS#11 slot is optional) Library: -------- Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok Card: ----- Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok User: ----- Testing user firstname.lastname@example.org Testing if PIN is required ... ok Enter PIN for email@example.com: **** Performing login to card ... ok Generating signature ... ok Verifying signature ... ok Login: ----- Testing user firstname.lastname@example.org Testing if PIN is required ... ok Enter PIN for email@example.com: Performing login to card ... ok Creating ID for client with UPN 'firstname.lastname@example.org' ... ok Establish initial credentials using PKCS#11 ... ok