If a user is configured correctly in the sudoer file and a smart card that corresponds to the user is presented at the time sudo is run, sudo will ask for PIN instead of the user password to unlock the card to authenticate the user.
This policy only works if smart card support is enabled.
Note that if the smart card is already unlocked at the time sudo is run, sudo will not prompt for PIN to authenticate the user.
This feature only works on OS X 10.11.2 or later.
Once enabled, this policy takes effect dynamically at the next group policy refresh interval.