⚠️
Note to the reader, disclaimer, and my personal opinion. It's no secret as to what 'o365.usmc.mil' is and its purpose. A simple Google search of 'o365.usmc.mil' or 'USMC OWA' with quotes will result in thousands of results. So posting it in the title or body isn't going to change the fact of what it is. The problem that I've come to realize is the lack of support for the macOS user. This is either due to the large consumer enterprise that sits on Microsoft Windows or those technically hired are unwilling or don't know how to make both operating systems mingle. Who knows.

Situation

Continuing on...  At some point, date unknown, o365.usmc.mil started spitting out requirements for users to start using Firefox.

o365.usmc.mil Informational Splash Screen

This works fine for Windows users but for macOS not so well.  Using the traditional setup of Firefox; installing the root certificates to avoid any unsecured site errors, installing compatible common access card middleware, and loading the security device driver (traditionally acpkcs211 or similar pkcs11) results in errors.  Something I call the F5 load balancer loop - where it takes you through a cycle of the same two pages over and over again.  For this, to work we will work entirely using the Safari web browser in macOS.

Solution

The steps conducted were executed on a fresh install of macOS Monterey with no additional drivers or configurations beforehand.  I conducted these same steps on two other MacBook laptops with the same success to aid with validating these steps.

Checking the Smartcard

Surprisingly the fix is fairly simple; although our first hurdle is to ensure you have a compatible and working common access card reader.  Let's assume you do and it works.  To verify go to view your MacOS System Report.  If you don't know how, click on the little Apple icon at the top left and select About this MAC.  From there select System Report.

Expand Hardware, if it's not already, and scroll down and select USB.  From there we need to scan our USB Device Tree to ensure that our USB SmartCard reader is being recognized.  In my case, my SCR33xx v2.0 USB SC Reader is found.

System Information USB Device Tree

Next, we are going to confirm that your Mac is actually reading your common access card even though it recognizes the reader.  Scroll down, select and expand Software if it's not expanded, and select SmartCards.  The expected outcome should look similar to the image below.  Your smartcard reader is working properly if under Readers you get some sort of output identified by item (2).  Additionally, you will notice a bunch of code/gibberish to you identified by item (3).  This means everything is in working order.

System Information Smartcard Information

Now, if you are one of those poor saps that gets this we have some troubleshooting to do.  Just like any other system, I would attempt a reboot to see if that fixes your issue.  Additionally, you can do a reboot with your common access card inserted during the reboot - seen that work a few times on someone else's Mac.

System Information Smartcard Information

In one additional case, I noticed that the SmartCard Drivers for com.apple.CryptoTokenKit.pivtoken was listed as disabled.  I can't confirm or deny that this was a problem as 50/50 I've seen it say disabled and yet still reads the smartcard.

System Information com.apple.CryptoTokenKit.pivtoken Disabled

In the case that your driver is listed as disabled and doesn't read after multiple reboots we can enable the smartcard driver by opening a terminal window and typing the following command:

sudo security smartcards token -l

You will be prompted to enter your password with the expected result as "com.apple.CryptoTokenKit.pivtoken" This can be seen in item (1).
Next, type the following command to enable this driver:

sudo security smartcards token -e com.apple.CryptoTokenKit.pivtoken

There will be no output. If we enter the command from item (1) again we will get no return which lets us know the driver is now enabled.

To further verify we can type the below command to verify.

sudo defaults read /Library/Preferences/com.apple.security.smartcard EnabledTokens

Again, if we type the same command and replace EnabledTokens with DisabledTokens we should see no drivers listed. Conduct a reboot to apply the changes and verify your common access card is now readable via your connected smartcard reader.

Installing Certificates

Next, we will need to import the Department of Defense root certificates.  This will allow us to avoid the dreaded "This Connection Is Not Private" or "This Site Is Not Secure" warning when browsing.

SSL/TLS Certificate Error Warning
⚠️
Another note to the reader, disclaimer, and my personal opinion. In some way or fashion, someone is going to complain, identify, or express concern regarding the posting of these certificates. Without going into details on public key infrastructure, these certificates are publicly accessible and are public certificates whereas the private key is your secret and safeguarded. Finally, you can do another Google search for "DoD Root Certificates" and return thousands of results and direct download links. Finally, even if you did all of this you would still need a certificate (attached to a token w/ pin) and account just for access. These sites are also positioned within a DMZ and deployed with security in depth.

First, we will need to download the DoD Root Certificates (direct download).  Once downloaded extract the contents if not already done so.  Find the file "DoD_PKE_PEM.pem" and double-click it to import it into your Keychain.

After you double-click the Keychain Access application should load.  If not do a search (Command (or Cmd) ⌘ + Space Bar) for Keychain Access.  Ensure that login is selected from the left menu and all items are selected.  Search for DoD Root CA 3 and right-click and select Get Info.

Under the certificate info expand Trust and find the When using this certificate option dropdown.  Change this option to Always Trust and close this window.  When prompted enter your administrator password or fingerprint to apply the change.

The certificate icon should look like this if you did everything correctly.  If not repeat the steps above again.

Open Safari and attempt to navigate to o365.usmc.mil again.  If you did everything successfully you will see the below splash page.  If you still get the connection not private or secure you will need to quit Safari and attempt again.

o365.usmc.mil DoD Consent Banner

Configuring Safari web browser

Next, we will need to enable the Developer Mode for Safari.  To do this we will need to open our Safari Preferences (Command (or Cmd) ⌘ + ,) and select the Advanced tab.  Under our Advanced settings ensure that the Show Develop menu in menu bar is checked.  This will grant us developer options for Safari.  Once this is complete we can close the Safar Preferences dialog.

Safari Advanced Preferences

With '0365.usmc.mil' still open select the Develop menu, navigate down to User-Agent, and select Firefox - Windows from the options.

Safari Developer User Agent Firefox Windows

This will reload the page sending our new HTTP Header information as seen below if we inspect the element.

Inspecting HTTP Headers for User Agent

If you did everything correctly up to this point and didn't run into any additional issues continue on and attempt to log into Outlook on the Web (OWA).

Successful Logon to o365.usmc.mil

Conclusion

If you achieved the top result, congratulations you have successfully accessed USMC OWA - o365.usmc.mil on your Mac.  If you need additional assistance outside of this article I recommend browsing to https://militarycac.com for additional troubleshooting.

📓
As of Feb 2022, the USMC OWA URLs have been sunset and transitioned to Office 365. The following URL can be used to access O365 applications https://www.ohome.apps.mil

Office 365 and Teams

As part of a test group for the new URL, I ran into an issue with accessing MS Teams via the web.  After some troubleshooting I ran into this link.  Basically we need to uncheck the Prevent cross-site tracking setting and restart Safari.

This is found in the Safari Preferences (Command (or Cmd) ⌘ + ,) within the Privacy tab.  Once you change this setting, restart your browser, and attempt to access Teams on the web again.

Additional Resources:
https://militarycac.com