This article is intended for system administrators who set security policy in enterprise environments that require smart card authentication.
Android File Transfer. Browse and transfer files between your Mac computer and your Android device. For Mac OS X only. No extra software is needed for Windows. Download HP Smart for macOS 10.12 or later and enjoy it on your Mac. Print, scan, and share with your HP Printer anytime, anywhere! HP Smart makes printing and scanning easier than ever and puts the tools you need at your fingertips: Set up and manage your HP printer directly from the app View printer status and send prints on-the-go.
Make sure that you carefully follow these steps to ensure that users will be able to log in to the computer.
For more information about smart card payload settings, see the Apple Configuration Profile Reference.
For more information about using smart card services, see the macOS Deployment Guide or open Terminal and enter man SmartCardServices
.
If you manually manage the profiles that are installed on the computer, you can remove the smart card-only profile in two ways. You can use the Profiles pane of System Preferences, or you can use the /usr/bin/profiles command-line tool. For more information, open Terminal and enter man profiles
.
If your client computers are enrolled in Mobile Device Management (MDM), you can restore password-based authentication. To do this, remove the smart card configuration profile that enables the smart card-only restriction from the client computers.
To prevent users from being locked out of their account, remove the enforceSmartCard profile before you unpair a smart card or disable attribute matching. If a user is locked out of their account, remove the configuration profile to fix the issue.
If you apply the smart card-only policy before you enable smart card-only authentication, a user can get locked out of their computer. To fix this issue, remove the smart card-only policy:
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/.profilesAreInstalled
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary
rm /Volumes/<volumename>/var/db/ConfigurationProfiles/Setup/.profileSetupDone
Users can use their smart card to authenticate over SSH to the local computer or to remote computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.
Update the /etc/ssh/sshd_config file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date '+%Y-%m-%d_%H:%M'`
Then, use the following commands to restart SSHD:
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
If a user wants to authenticate SSH sessions using a smart card, have them follow these steps:
ssh-keygen -D /usr/lib/ssh-keychain.dylib
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config_backup_`date '+%Y-%m-%d_%H:%M'`
If the user wants to, they can also use the following command to add the private key to their ssh-agent:
ssh-add -s /usr/lib/ssh-keychain.dylib
Use the following command to back up the /etc/pam.d/sudo file:
sudo cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the /etc/pam.d/sudo file with the following text:
Use the following command to back up the /etc/pam.d/login file:
sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/login file with the following text:
Use the following command to back up the /etc/pam.d/su file:
sudo cp /etc/pam.d/su /etc/pam.d/su_backup_`date '+%Y-%m-%d_%H:%M'`
Then, replace all of the contents of the/etc/pam.d/su file with the following text:
Here’s a sample smart card-only configuration profile. You can use it to see the kinds of keys and strings that this type of profile includes.
It sounds like the download may not have failed but the installation did so the only thing left that your MBP can boot from is the Recovery partition (see this discussion). Since you don't want to loose all your documents and you don't have a backup to restore from, I can think of a few things to try.
Reboot and hold down the option key to see what the MBP sees as bootable. If it's just the Recovery partition, that's where you are.
If there's a second choice (e.g., Macintosh HD), and it doesn't boot from that, try to reboot and hold down the shift key to start in Safe Mode.
Getting more extreme would be to get an external drive and Reinstall OS X on it so that you can boot from it and copy over your documents from the internal drive using Setup Assistant.
FInally, you could reinstall OS X on the internal. That should get Mountain Lion working again without damaging the rest of your files.