Certificate-based Authentication

App Configuration

Certificate-Based Authentication is disabled by default on macOS. To enable this feature, modify the HYPR Workforce Client application configuration as follows:

1. Open the HyprOneService.plist file
2. Set CertificateAuthEnabled to true
3. Save changes
4. Restart the computer to apply changes

📘

ADCS Configuration

If you're using ADCS to manage computers in the domain, you'll also need to create the Authentication Certificate Template. For more information, see Custom Certificate Templates.

FileVault Configuration

HYPR Mobile App login is done using the emulated Smartcard. By default, when a user enters their password to decrypt the FileVault disk at boot, the password will be passed through, and a smart card will not be used for login, even if you configure it to be required.

To change this so that the user will not automatically be logged in and will be shown the login screen, run the command below in Terminal:

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

When you have this enabled, users will be required to authenticate with HYPR after unlocking the FileVault with the password.