CAC Reader Not Working on Mac Sequoia — Fix Guide

If your CAC reader not working on Mac Sequoia is the reason you’re here, I want you to know this is fixable — and it’s not your hardware. I’ve been setting up CAC authentication for service members at my installation for going on six years now, and every single macOS update breaks something. Sequoia broke more things than most. I watched a sailor spend three hours on a Monday morning unable to access her email before we tracked it down to a two-line Terminal command. This guide exists so that doesn’t happen to you.

Grab your CAC reader, sit down, and work through these steps in order. Don’t skip ahead. I made that mistake with the first few people I helped on Sequoia — jumped straight to reinstalling certificates before checking the driver layer — and it cost everyone an extra hour.

The Sequoia Problem — What Changed

Apple rewrote parts of how macOS handles smart card drivers when they shipped Sequoia (macOS 15). Specifically, the built-in framework called CryptoTokenKit — which is Apple’s native layer for reading PIV-compliant cards like your CAC — had its default behavior changed around how it initializes USB smart card readers at login.

In older macOS versions, CryptoTokenKit would aggressively enumerate connected smart card readers on boot. In Sequoia, that behavior got throttled. Apple apparently made this change in connection with some security hardening work, but the practical result is that a large percentage of USB and USB-C CAC readers just don’t get recognized. Your Mac sees the USB device. It doesn’t hand it off to the smart card subsystem. The CAC sits there. Nothing happens.

The readers I see this with most often at my installation are the SCR3500A from SCM Microsystems (a black USB-A reader that basically everyone has), the Identiv uTrust 3700F, and several of the cheaper USB-C readers that people bought when they switched to M1 or M2 MacBooks. The fix differs slightly depending on which one you have, which is why this guide has multiple steps.

One more thing before we get into it — if you’re running Sequoia 15.0 or 15.0.1, update to at least 15.1 first. Apple quietly patched one of the CryptoTokenKit issues in that point release. Probably should have opened with this section, honestly. Check System Settings → General → Software Update before anything else.

Step 1 — Re-enable Smart Card Support

This is the fix that resolves the problem for probably 70% of people. It’s a Terminal command that forces CryptoTokenKit to re-register the PIV token extension, which is the specific component that reads DoD CAC cards.

Open Terminal. You can find it in Applications → Utilities, or just Spotlight search for “Terminal.” Once it’s open, type — or copy and paste — the following command exactly as written:

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array

Hit Enter. You’ll be prompted for your Mac’s administrator password. Type it and hit Enter again. You won’t see the password characters as you type — that’s normal.

Now run this second command:

sudo sc_auth identities

This one queries the smart card system for any recognized identities. If your reader is plugged in and things are starting to work, you’ll see output that references your CAC certificates. If you get nothing back, or an error about no smart card being present, continue to Step 2.

Restart your Mac. Full restart — not sleep, not fast user switching. After it comes back up, plug your CAC reader in fresh. Give it about 30 seconds. Try accessing a CAC-protected site or opening your CAC-required application again.

Frustrated by months of dealing with a reader that worked fine on Monterey and Ventura, one of our IT techs wrote this command set on a sticky note and taped it to his desk. I’ve since printed it on a laminated half-sheet we hand to new service members at check-in. It works that reliably.

Step 2 — Install Feitain USB-C Driver If Needed

If Step 1 didn’t fully solve it and you’re using a USB-C reader — particularly one of the Feitian (also marketed as Feitain, both spellings exist on their own packaging, which is its own headache) USB-C smart card readers — you need an additional driver.

The specific models I’ve seen need this are the Feitian R301 and the bR301 Bluetooth reader when used over USB-C. The Identiv uTrust 3700F in USB-C mode sometimes needs it too. The issue is that macOS Sequoia’s native CCID driver stack doesn’t fully support some of these devices’ USB descriptor tables.

Here’s how to get it sorted:

1. Go to ftsafe.com — that’s Feitian’s official site. Navigate to Support → Download → Drivers.
2. Download the macOS CCID driver package. As of early 2025, the current version is iR301 CCID Driver v3.1.2, and the installer file is about 4.2 MB.
3. Open the .pkg installer. macOS will likely throw a Gatekeeper warning. Go to System Settings → Privacy & Security, scroll down, and you’ll see a message saying the driver was blocked. Click “Allow Anyway.”
4. Run the installer again and complete it.
5. Restart your Mac.

After restart, plug in your USB-C reader and give it 45 seconds. The system needs a moment to load the new kernel extension. If you open Terminal and run sudo sc_auth identities again at this point, you should see your card’s identities listed.

One thing I’ve learned the hard way — don’t use a USB-C hub between the reader and the Mac. Plug directly into one of the Mac’s built-in Thunderbolt ports. Hubs introduce their own USB negotiation layer and I’ve seen them confuse the CCID driver even when everything else is correct. Direct connection only.

Step 3 — Reinstall DoD Certificates

Even with your reader working correctly at the hardware and driver level, you can still get certificate errors in browsers if your DoD root certificates are outdated or corrupted. Sequoia’s tighter security sandbox sometimes marks old certificate installations as untrusted on first boot, which quietly breaks them without telling you.

First, clear your browser cache. In Safari: Settings → Advanced → check “Show features for web developers” → Develop menu → Empty Caches. In Chrome: Settings → Privacy and Security → Clear Browsing Data → check Cached images and files → Clear data. Do this before reinstalling certs or you’ll validate against stale cached data.

Now get fresh DoD certificates:

1. Go to militarycac.com/macnotes.htm — this is the authoritative source. Find the section for “DoD Certificates” and download the latest InstallRoot package for Mac. The current package as of 2025 is labeled InstallRoot 5.5 macOS and the .pkg is around 11 MB.
2. Run the installer. It will deposit the DoD root, intermediate, and issuing CA certificates into your system keychain.
3. Open Keychain Access (Applications → Utilities → Keychain Access). In the left sidebar, select “System” under Keychains, then “Certificates” under Category.
4. Search for “DOD” in the search bar. You should see a list of certificates — DoD Root CA 3, 4, 5, 6, and several EMAIL CA and ID CA entries.
5. If any show a red X or say “This certificate has an invalid issuer,” right-click it and select “Get Info.” Under Trust, change “When using this certificate” to “Always Trust.” Close the window. You’ll be prompted for your password.

Restart Safari or Chrome completely after this. Not just close the window — quit the application entirely and reopen it.

At this point, with your reader recognized by Sequoia’s CryptoTokenKit, the correct CCID driver installed if you needed it, and fresh DoD certificates trusted in Keychain Access, your CAC authentication should work. Test it at myaccess.defense.gov or whichever CAC-protected portal you need. Insert your card when prompted, select the correct certificate (usually the one labeled with your name and “Authentication” rather than “Email Encryption”), and enter your PIN.

If it still fails after all three steps, the next thing I check is whether the user’s CAC itself has expired or is locked from too many bad PIN attempts. That’s a trip to the ID card office, not an IT fix. But in my experience, these three steps clear the Sequoia-specific issues for the overwhelming majority of cases.