Force Smart Card per user - exclude certain hosts

In AD Users and Computer we enabled the option 'Smart Card is required for interactive login'.  This forces Smart Card login via that AD user account... That way no matter what computer that user logs in on they are forced to use a Smart Card, however, this causes a problem.  We have a few mobile apps that use AD authentication.  When we try to log into these apps from our iOS / iPhone we are unable to do so.. This is because it's wanting a Smart Card...  What is the work around?  The only GPO that force Smart Card is computer based.. We don't want to force all users on all computers to use Smart Cards.. So... I don't see a work around unless the mobile apps support some type of cert based SSO?  Even then I don't think it will work for AD is looking for a Smart Card.
gopher_49Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Frankly, you may have answered your query already.
Your setting is a user specific Smartcard login so unless you have two 2 accounts otherwise as you mentioned the apps to support certificate login. I would not think the latter need the smartcard as long as the certificate can be enrolled and issued to the mobile device and the backend AD has the UPN mapping done for that mobile user (see this).
https://blogs.technet.microsoft.com/askds/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts/

Another way is the two accounts - one account with "smart card required" to all other computers. A second that logon without such SC restriction. The latter will likely need to be"Deny log on locally"  into the computers (not the mobile device). Can get complicated though.

Just to share actually there is a past blog discussing the depth of SCL and a PS script for surfacing all user under SCL enforcement.
https://blogs.technet.microsoft.com/nextnextfinish/2017/09/15/smart-card-logon-enforcement-long-edition/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.