Net iD Service


Page updated: 2024-01-12

macOS - Useful commands and file locations

Check installed CTK plugins
pluginkit -m -p
pluginkit -v -m -p
pluginkit -vv -m -p


Smart card commands
security list-smartcards
security export-smartcard
system_profiler SPSmartCardsDataType

Note: Make sure you import all the roots and intermediates to Keychain - System so that
"system_profiler SPSmartCardsDataType" tells you:
SSL trust: YES, X509 trust: YES


Pairing commands
sc_auth list
(Check pairing)
sc_auth unpair
(Unparing a user)
sc_auth pairing_ui -s status
(Pairing dialog status)
sc_auth pairing_ui -s enable
(Enable pairing)
sudo defaults write /Library/Preferences/ UserPairing -bool false
sc_auth identities
(List available smart cards and paired/unpaired identities)


Disable/Read/Delete CTK-modules
sudo defaults write /Library/Preferences/ DisabledTokens 
(Disables the built in PIV-support from Apple to avoid conflict with Net iD PIV-support)
sudo defaults write /Library/Preferences/ DisabledTokens 
-array com.secmaker.netid.ctk.sctoken
(Disables Net iD Client CTK-module)
sudo defaults read /Library/Preferences/ DisabledTokens
(Read DisabledTokens)
sudo defaults delete /Library/Preferences/ DisabledTokens
(Delete DisabledTokens => All present modules active)
sudo defaults write /Library/Preferences/ DisabledTokens 
-array org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken
(Disables the PIV-support from OpenSC)


Antivirus makes everything slow

In some cases your antivirus software can make reading/using certificates very slow, for example with Microsoft Defender for macOS.
Try to exclude this from scanning:



sudo defaults write /Library/Preferences/ Legacy -bool true
(Enable tokend. Not possible on macOS 11 (Big Sur))
sudo defaults write /Library/Preferences/ Legacy -bool false
(Disable tokend)
sudo defaults read /Library/Preferences/
(Check status of


FileVault 2

FileVault does not support smart cards for authentication, meaning you will still need to use your password to unlock your FileVault-encrypted disk. By default, when a user enters their password to decrypt the FileVault disk at boot, this password will be passed through and a smart card will not be used for login,even if you configure it to be required. To change this so that the user will not automatically be logged in and will be shown the login screen, run the command below in Terminal.

sudo defaults write /Library/Preferences/ DisableFDEAutoLogin -bool YES


File locations
(Net iD Client)
(netid -command)
(netid -dialog test)
(Net iD Client global configuration)
(Not relevant for CTK-module but for Net iD Client itself and it's WebExtensions)
(Net iD Client "user configuration")
(Net iD Client global configuration for CTK-module)
(PC/SC, not used by CTK-module)
Chrome - Extensions:
/Users/[user]/Library/Application Support/Google/Chrome/Default/Extensions/

Edge - Extensions: (edge://version/)
/Users/[user]/Library/Application Support/Microsoft Edge/Default/Extensions/
Firefox - Extensions:
/Users/[user]/Library/Application Support/Firefox/Profiles/[user-profile-name]/extensions/
Trace - Non CryptoTokenKit related events

Trace can be enabled by editing /etc/netid.conf, the trace file will be found here:

Trace - CryptoTokenKit related events

Example path will depend on macOS version

macOS 14 Sonoma


macOS 13 Ventura, macOS 12 Monterey and macOS 11 Big Sur


Use "set" to see the location for "TMPDIR" where the "CTK-trace" is.


Find CTK sandbox for "all users", i.e. fetch things happening pre-login
sudo find /var/folders -name "netid.txt" 2>/dev/null


Signature check
codesign --verify --verbose Net\
Net valid on disk
Net satisfies its Designated Requirement
codesign --verify --verbose CryptoTokenKit.appex
CryptoTokenKit.appex: valid on disk
CryptoTokenKit.appex: satisfies its Designated Requirement