Continuing on... At some point, date unknown, o365.usmc.mil started spitting out requirements for users to start using Firefox.
This works fine for Windows users but for macOS not so well. Using the traditional setup of Firefox; installing the root certificates to avoid any unsecured site errors, installing compatible common access card middleware, and loading the security device driver (traditionally acpkcs211 or similar pkcs11) results in errors. Something I call the F5 load balancer loop - where it takes you through a cycle of the same two pages over and over again. For this, to work we will work entirely using the Safari web browser in macOS.
The steps conducted were executed on a fresh install of macOS Monterey with no additional drivers or configurations beforehand. I conducted these same steps on two other MacBook laptops with the same success to aid with validating these steps.
Checking the Smartcard
Surprisingly the fix is fairly simple; although our first hurdle is to ensure you have a compatible and working common access card reader. Let's assume you do and it works. To verify go to view your MacOS System Report. If you don't know how, click on the little Apple icon at the top left and select About this MAC. From there select System Report.
Expand Hardware, if it's not already, and scroll down and select USB. From there we need to scan our USB Device Tree to ensure that our USB SmartCard reader is being recognized. In my case, my SCR33xx v2.0 USB SC Reader is found.
Next, we are going to confirm that your Mac is actually reading your common access card even though it recognizes the reader. Scroll down, select and expand Software if it's not expanded, and select SmartCards. The expected outcome should look similar to the image below. Your smartcard reader is working properly if under Readers you get some sort of output identified by item (2). Additionally, you will notice a bunch of code/gibberish to you identified by item (3). This means everything is in working order.
Now, if you are one of those poor saps that gets this we have some troubleshooting to do. Just like any other system, I would attempt a reboot to see if that fixes your issue. Additionally, you can do a reboot with your common access card inserted during the reboot - seen that work a few times on someone else's Mac.
In one additional case, I noticed that the SmartCard Drivers for com.apple.CryptoTokenKit.pivtoken was listed as disabled. I can't confirm or deny that this was a problem as 50/50 I've seen it say disabled and yet still reads the smartcard.
In the case that your driver is listed as disabled and doesn't read after multiple reboots we can enable the smartcard driver by opening a terminal window and typing the following command:
sudo security smartcards token -l
You will be prompted to enter your password with the expected result as "com.apple.CryptoTokenKit.pivtoken" This can be seen in item (1).
Next, type the following command to enable this driver:
sudo security smartcards token -e com.apple.CryptoTokenKit.pivtoken
There will be no output. If we enter the command from item (1) again we will get no return which lets us know the driver is now enabled.
To further verify we can type the below command to verify.
sudo defaults read /Library/Preferences/com.apple.security.smartcard EnabledTokens
Again, if we type the same command and replace EnabledTokens with DisabledTokens we should see no drivers listed. Conduct a reboot to apply the changes and verify your common access card is now readable via your connected smartcard reader.
Next, we will need to import the Department of Defense root certificates. This will allow us to avoid the dreaded "This Connection Is Not Private" or "This Site Is Not Secure" warning when browsing.
First, we will need to download the DoD Root Certificates (direct download). Once downloaded extract the contents if not already done so. Find the file "DoD_PKE_PEM.pem" and double-click it to import it into your Keychain.
After you double-click the Keychain Access application should load. If not do a search (Command (or Cmd) ⌘ + Space Bar) for Keychain Access. Ensure that login is selected from the left menu and all items are selected. Search for DoD Root CA 3 and right-click and select Get Info.
Under the certificate info expand Trust and find the When using this certificate option dropdown. Change this option to Always Trust and close this window. When prompted enter your administrator password or fingerprint to apply the change.
The certificate icon should look like this if you did everything correctly. If not repeat the steps above again.
Open Safari and attempt to navigate to o365.usmc.mil again. If you did everything successfully you will see the below splash page. If you still get the connection not private or secure you will need to quit Safari and attempt again.
Configuring Safari web browser
Next, we will need to enable the Developer Mode for Safari. To do this we will need to open our Safari Preferences (Command (or Cmd) ⌘ + ,) and select the Advanced tab. Under our Advanced settings ensure that the Show Develop menu in menu bar is checked. This will grant us developer options for Safari. Once this is complete we can close the Safar Preferences dialog.
With '0365.usmc.mil' still open select the Develop menu, navigate down to User-Agent, and select Firefox - Windows from the options.
This will reload the page sending our new HTTP Header information as seen below if we inspect the element.
If you did everything correctly up to this point and didn't run into any additional issues continue on and attempt to log into Outlook on the Web (OWA).
If you achieved the top result, congratulations you have successfully accessed USMC OWA - o365.usmc.mil on your Mac. If you need additional assistance outside of this article I recommend browsing to https://militarycac.com for additional troubleshooting.
Office 365 and Teams
As part of a test group for the new URL, I ran into an issue with accessing MS Teams via the web. After some troubleshooting I ran into this link. Basically we need to uncheck the Prevent cross-site tracking setting and restart Safari.
This is found in the Safari Preferences (Command (or Cmd) ⌘ + ,) within the Privacy tab. Once you change this setting, restart your browser, and attempt to access Teams on the web again.