Net iD Service


Page updated: 2022-05-06

Tokend broke in 10.15.1, but with 10.15.3 or later it's back.
Make sure you upgrade to 10.15.7, the latest version!
If you are using Catalina then read this.

macOS - Useful commands and file locations

Check installed CTK plugins
pluginkit -m -p
pluginkit -v -m -p
pluginkit -vv -m -p


Smart card commands
security list-smartcards
security export-smartcard
system_profiler SPSmartCardsDataType

Note: Make sure you import all the roots and intermediates to Keychain - System so that "system_profiler SPSmartCardsDataType" tells you:
SSL trust: YES, X509 trust: YES


Pairing commands
sc_auth list
(Check pairing)
sc_auth unpair
(Unparing a user)
sc_auth pairing_ui -s status
(Pairing dialog status)
sc_auth pairing_ui -s enable
(Enable pairing)
sudo defaults write /Library/Preferences/ UserPairing -bool false
sc_auth identities
(List available smart cards and paired/unpaired identities)


Disable/Read/Delete CTK-modules
sudo defaults write /Library/Preferences/ DisabledTokens -array
(Disables the built in PIV-support from Apple to avoid conflict with Net iD PIV-support)
sudo defaults write /Library/Preferences/ DisabledTokens -array com.secmaker.netid.ctk.sctoken
(Disables Net iD Client CTK-module)
sudo defaults read /Library/Preferences/ DisabledTokens
(Read DisabledTokens)
sudo defaults delete /Library/Preferences/ DisabledTokens
(Delete DisabledTokens => All present modules active)
sudo defaults write /Library/Preferences/ DisabledTokens -array org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken
(Disables the PIV-support from OpenSC)


sudo defaults write /Library/Preferences/ Legacy -bool true
(Enable tokend. Not possible on macOS 11 (Big Sur))
sudo defaults write /Library/Preferences/ Legacy -bool false
(Disable tokend)
sudo defaults read /Library/Preferences/
(Check status of


FileVault 2

FileVault does not support smart cards for authentication, meaning you will still need to use your password to unlock your FileVault-encrypted disk. By default, when a user enters their password to decrypt the FileVault disk at boot, this password will be passed through and a smart card will not be used for login,even if you configure it to be required. To change this so that the user will not automatically be logged in and will be shown the login screen, run the command below in Terminal.

sudo defaults write /Library/Preferences/ DisableFDEAutoLogin -bool YES


File locations
(Net iD Client)
(netid -command)
(netid -dialog test)
(Net iD Client global configuration, NOT relavant for CTK-module but for Net iD Client itself and it's WebExtensions)
(Net iD Client "user configuration")
(Net iD Client global configuration for CTK-module)
(PC/SC, not used by CTK-module)
Chrome - Extensions:
/Users/[user]/Library/Application Support/Google/Chrome/Default/Extensions/

Edge - Extensions: (edge://version/)
/Users/[user]/Library/Application Support/Microsoft Edge/Default/Extensions/
Firefox - Extensions:
/Users/[user]/Library/Application Support/Firefox/Profiles/[user-profile-name]/extensions/
Trace - Non CryptoTokenKit related events

Enable trace via Net iD Admin GUI, the trace file will be found here:

Trace - CryptoTokenKit related events

Use "set" to see the location for "TMPDIR", example path:


Find CTK sandbox for "all users", i.e. fetch things happening pre-login
sudo find /var/folders -name "netid.txt" 2>/dev/null


Signature check
codesign --verify --verbose Net\
Net valid on disk
Net satisfies its Designated Requirement
codesign --verify --verbose CryptoTokenKit.appex
CryptoTokenKit.appex: valid on disk
CryptoTokenKit.appex: satisfies its Designated Requirement