This group policy controls whether to create a token-protected or password-protected keychain base on the login type (i.e smart card login or password).
NOTE: This policy only works if "Enable smart card support" policy is enabled.
When login with smartcard, a keychain protected by an asymmetric key stored on a smart card is created. Users are required to have the smart card present to unlock the protected keychain. A username or PIN without the smart card will not unlock the protected keychain.
When the smart card is renewed it will no longer unlock the protected keychain. There is no way to export a smart card protected keychain without the matching smart card. Export keychain items before renewing your smart card, otherwise you will have to recreate the keychain items in the new smart card protected keychain. In addition, if a smart card is lost, there is no way to recover items from the protected keychain.
When login with password, a keychain protected by user password is created. It can be unlocked using the login password.
The "Set as user default keychain" option is selected by default. Deselect this option to leave the existing login keychain as the default keychain.
With this option set, the default keychain will be switched according to the login type.
Login with smartcard will set the token-protected keychain as default
Login with password will set the password-protected keychain as default
The "Delete the Password protected Login Keychain after login" option is deselected by default. Select this option to delete the password-protected Login Keychain after logging in.
This feature is not supported on OS X 10.10 and earlier.
Note: When this policy is disabled, the default keychain is left as the default keychain of the last user login.
For example, if user_a last logged in using a password and user_b last logged in using a smart card, then this policy is disabled:
user_a's default keychain is left as a password-protected keychain and
user_b's default keychain is left as a token-protected keychain.
These default keychains will NOT be unlocked for the user during login; therefore, the user will be prompted to unlock the default keychain if any application needs access to it.