Releases: twocanoes/xcreds
XCreds 4.1
4.1.6313 (2024-02-06)
See https://twocanoes.com/knowledge-base/whats-new-in-xcreds-4-1/ for full details
- fixed issue with menu item not updating tokens View
- fixed automount View
- remove admin if we made them admin View
- added check for not removing last admin user View
- fixed prompting when both AD and cloud are configured View
- added kerberosprincipalname pref and getting kerb ticket with oidc login View
- added menuItemWindowBackgroundImageURL View
- better selection of menu item prompting if both AD and OIDC is setup View
- fixed issue with ACL on tokens in keychain View
- added custom menu item pref View
- ability to customize Share menu item; added username for AD and OIDC in menu View
- added pref for shares View
- added better descriptions to share manifest View
- updated whats new View
- updated manifest View
XCreds 4.0
4.0.6274 (2024-01-26)
- fixed issue with local password update View
- updated ropg prefs and checking View
- Minor fixes for ropg View
- fixed passwordElementID preference can cause issue with setting local password #161 View
- PasswordOverwriteSilent does not prevent user prompt for password #160 View
- shouldUseROPGForMenuLogin hides offline login option at XCreds login window #158 View
- Improvement for refreshRateMinutes description #157 View
- Typos in manifest descriptions #156 View
4.0.6261 (2024-01-15)
- built release notes View
- applied patch from Jim Zajkowski to fix integration issues View
- fixed up kerb ticket status in menu View
- refactored menu code View
- fixed issue with updating keychain View
- more attempt at sharemounter integration View
- implemented shares View
- added additional sample profiles View
- fixed home mounting View
- fixed enabing window state with AD View
- pointed package to main branch for oidclite View
- Allow forcing of webview login window View
- Support separate client ID and secret for ropg View
- wip View
- fixed issue with ropg clientid/secret selection View
- Keychain is reset on cloud password change when user enters old local password #148 View
- Admin status does not change after removed from group #145 View
- Fix manifest key name for loadPageInfo #143 View
- bumped version View
4.0.6203 (2024-01-01)
- added release notes and script to generate release notes View
- Feature Request: Allow "loadpage.html" to be customized. #126. To test, add in new keys "loadPageTitle" and "loadPageInfo" or try the xcreds_example_azure_loadPageTitle_loadPageInfo.mobileconfig View
- Update description in manifest for loginWindowWidth and loginWindowHeight #138 View
- [feature request] LocalAD - make sync password with AD optional with preference key #130. To test, set the shouldPromptForADPasswordChange to false and set the user account to require password change on next login and verify the user is not prompted View
- XCreds breaking Munki's logout/install @loginscreen logic #102. Test by defining hideIfPathExists to a path like /tmp/hide and then add/remove and UI should show /hide. Or use sample profile xcreds_example_azure_hide.mobileconfig View
- Option to enforce account to log in #21. To test, create allowedUsersArray with name of user allowed to log in and define allowUsersClaim with an OIDC claim that contains that value. Or use the xcreds_example_azure_allow_fred.mobileconfig to test View
- Feature Request: Force Wi-Fi on option or Wi-Fi on/off switch in "Configure Wi-Fi" #58 View
- added removeadmin function but not used since it can cause local admins to unadmin View
- loginWindowBackgroundImageURL image should be cached if not a file:// URL #72 View
- bumped build number View
4.0.6177 (2023-12-28)
- added date to license agreement to resolve Date not shown on user agreement #134 View
- fixed Password reset dialog rendering and text need fixes #133 View
- Cloud login screen button section pushed to left side #132 View
- Active Directory login - blank login after expired user attempts sign-in #114 View
- Prompt for Secure Token Admin Login When Required for AD #127 View
- [bug] Build 6023 LocalAD - cancelling Change Password prompt breaks login fields. #129 View
- Add ability to select active directory login to select mapped user account #136 View
- fixed issue with initial focus View
- #54 View
- Request: display user password expiration (days left or specific date) in app. #54 View
- Refresh does not change next password check time #88 View
- changed cartfile to point to github View
- removed framework View
- removed framework View
- added key for ROPG at login window View
- partial refactor wip View
- partial refactor wip View
- partial refactor wip View
- ropg at login window initial implementation View
- cleaned up ropg login code View
- hide refresh when on username/password window; move focus to blank password when not entered for username/password window View
- fixed menu app password verification View
- added ShareMounter and missing KerbUtil filet View
- added username / password view to prompt in userspace View
- fixed cancel for AD userspace cancel View
- fixed override script in usersapce View
- fixed typo [View](48329e1d05488dd2b66820...
Contributors
Assets 4
XCreds 4 Beta 5
4.0.6261 (2024-01-15)
- built release notes View
- applied patch from Jim Zajkowski to fix integration issues View
- fixed up kerb ticket status in menu View
- refactored menu code View
- fixed issue with updating keychain View
- more attempt at sharemounter integration View
- implemented shares View
- added additional sample profiles View
- fixed home mounting View
- fixed enabing window state with AD View
- pointed package to main branch for oidclite View
- Allow forcing of webview login window View
- Support separate client ID and secret for ropg View
- wip View
- fixed issue with ropg clientid/secret selection View
- Keychain is reset on cloud password change when user enters old local password #148 View
- Admin status does not change after removed from group #145 View
- Fix manifest key name for loadPageInfo #143 View
- bumped version View
4.0.6203 (2024-01-01)
- added release notes and script to generate release notes View
- Feature Request: Allow "loadpage.html" to be customized. #126. To test, add in new keys "loadPageTitle" and "loadPageInfo" or try the xcreds_example_azure_loadPageTitle_loadPageInfo.mobileconfig View
- Update description in manifest for loginWindowWidth and loginWindowHeight #138 View
- [feature request] LocalAD - make sync password with AD optional with preference key #130. To test, set the shouldPromptForADPasswordChange to false and set the user account to require password change on next login and verify the user is not prompted View
- XCreds breaking Munki's logout/install @loginscreen logic #102. Test by defining hideIfPathExists to a path like /tmp/hide and then add/remove and UI should show /hide. Or use sample profile xcreds_example_azure_hide.mobileconfig View
- Option to enforce account to log in #21. To test, create allowedUsersArray with name of user allowed to log in and define allowUsersClaim with an OIDC claim that contains that value. Or use the xcreds_example_azure_allow_fred.mobileconfig to test View
- Feature Request: Force Wi-Fi on option or Wi-Fi on/off switch in "Configure Wi-Fi" #58 View
- added removeadmin function but not used since it can cause local admins to unadmin View
- loginWindowBackgroundImageURL image should be cached if not a file:// URL #72 View
- bumped build number View
4.0.6177 (2023-12-28)
- added date to license agreement to resolve Date not shown on user agreement #134 View
- fixed Password reset dialog rendering and text need fixes #133 View
- Cloud login screen button section pushed to left side #132 View
- Active Directory login - blank login after expired user attempts sign-in #114 View
- Prompt for Secure Token Admin Login When Required for AD #127 View
- [bug] Build 6023 LocalAD - cancelling Change Password prompt breaks login fields. #129 View
- Add ability to select active directory login to select mapped user account #136 View
- fixed issue with initial focus View
- #54 View
- Request: display user password expiration (days left or specific date) in app. #54 View
- Refresh does not change next password check time #88 View
- changed cartfile to point to github View
- removed framework View
- removed framework View
- added key for ROPG at login window View
- partial refactor wip View
- partial refactor wip View
- partial refactor wip View
- ropg at login window initial implementation View
- cleaned up ropg login code View
- hide refresh when on username/password window; move focus to blank password when not entered for username/password window View
- fixed menu app password verification View
- added ShareMounter and missing KerbUtil filet View
- added username / password view to prompt in userspace View
- fixed cancel for AD userspace cancel View
- fixed override script in usersapce View
- fixed typo View
4.0.6023 (2023-12-12)
- use default desktop from CoreServices View
- reload the login window when wifi is connected View
- fix conflicts in XCreds app View
- Add new NetworkMonitor and reload webview on network changes View
- add new networkmonitor View
- better handling of loginwindow reload View
- bumped version View
- bumped version View
- Resolves #111 by only refreshing when on cloud login [View](ca8e9851796b02efdcf0b823...
Contributors
Assets 14
XCreds 4 Beta 4
What's New
Bug fixes and and minor tweaks
4.0.6203 (2024-01-01)
- added release notes and script to generate release notes View
- Feature Request: Allow "loadpage.html" to be customized. #126. To test, add in new keys "loadPageTitle" and "loadPageInfo" or try the xcreds_example_azure_loadPageTitle_loadPageInfo.mobileconfig View
- Update description in manifest for loginWindowWidth and loginWindowHeight #138 View
- [feature request] LocalAD - make sync password with AD optional with preference key #130. To test, set the shouldPromptForADPasswordChange to false and set the user account to require password change on next login and verify the user is not prompted View
- XCreds breaking Munki's logout/install @loginscreen logic #102. Test by defining hideIfPathExists to a path like /tmp/hide and then add/remove and UI should show /hide. Or use sample profile xcreds_example_azure_hide.mobileconfig View
- Option to enforce account to log in #21. To test, create allowedUsersArray with name of user allowed to log in and define allowUsersClaim with an OIDC claim that contains that value. Or use the xcreds_example_azure_allow_fred.mobileconfig to test View
- Feature Request: Force Wi-Fi on option or Wi-Fi on/off switch in "Configure Wi-Fi" #58 View
- added removeadmin function but not used since it can cause local admins to unadmin View
- loginWindowBackgroundImageURL image should be cached if not a file:// URL #72 View
- bumped build number View
4.0.6177 (2023-12-28)
- added date to license agreement to resolve Date not shown on user agreement #134 View
- fixed Password reset dialog rendering and text need fixes #133 View
- Cloud login screen button section pushed to left side #132 View
- Active Directory login - blank login after expired user attempts sign-in #114 View
- Prompt for Secure Token Admin Login When Required for AD #127 View
- [bug] Build 6023 LocalAD - cancelling Change Password prompt breaks login fields. #129 View
- Add ability to select active directory login to select mapped user account #136 View
- fixed issue with initial focus View
- #54 View
- Request: display user password expiration (days left or specific date) in app. #54 View
- Refresh does not change next password check time #88 View
- changed cartfile to point to github View
- removed framework View
- removed framework View
- added key for ROPG at login window View
- partial refactor wip View
- partial refactor wip View
- partial refactor wip View
- ropg at login window initial implementation View
- cleaned up ropg login code View
- hide refresh when on username/password window; move focus to blank password when not entered for username/password window View
- fixed menu app password verification View
- added ShareMounter and missing KerbUtil filet View
- added username / password view to prompt in userspace View
- fixed cancel for AD userspace cancel View
- fixed override script in usersapce View
- fixed typo View
4.0.6023 (2023-12-12)
- use default desktop from CoreServices View
- reload the login window when wifi is connected View
- fix conflicts in XCreds app View
- Add new NetworkMonitor and reload webview on network changes View
- add new networkmonitor View
- better handling of loginwindow reload View
- bumped version View
- bumped version View
- Resolves #111 by only refreshing when on cloud login View
- removed tperfitt from logging. issu #108 View
- added info in DS for sub and iss when user is logging in and account is created View
- initial implementation of allow user to select account to map to #98 View
- added preference shouldAllowKeyComboForMacLoginWindow and key combo (control-option return) to switch logon window. command-option-control return for mac login window. Feature Request: Show / Hide the switch login button with a pref key. #121 View
- Log shows tperfitt user profile path #108 View
- Feature Request: Option to alias IdP username to local DS user account #59 View
- add missing Credits.txt file View
- fixed typo View
- updated manifest for new keys View
- showed Create New Account button in migration modal View
- fixed issue #124: Default behavior wrong for shouldAllowKeyComboForMacLoginWindow View
- refactored code to add admin to user account based on group membership each login (issue #109); added groups claim value to OD record on each login in _xcreds_oidc_groups (issue #117) View
- updated license agreement (issue #90) View
- Detect when no password was entered #17 View
- updated animation when logging in View
*...
Contributors
Assets 14
4.0.6177
What's New in Beta 3
Feature complete for release 4.0.
4.0.6177 (2023-12-28)
- added date to license agreement to resolve Date not shown on user agreement #134 View
- fixed Password reset dialog rendering and text need fixes #133 View. Test by resetting password on both AD and Cloud.
- Cloud login screen button section pushed to left side #132 View. Test with visual verfication.
- Active Directory login - blank login after expired user attempts sign-in #114 View. Test by expiring password in AD and verifying sane UI.
- Prompt for Secure Token Admin Login When Required for AD #127 View. Test: Log in with AD account and change local password. Log out. When prompted to reset password, click button to reset keychain and enter local admin and verify keychain is reset and local password is AD password.
- [bug] Build 6023 LocalAD - cancelling Change Password prompt breaks login fields. #129 View. Test: In AD, force a password change on next login. Login and when prompted, click Cancel.
- Add ability to select active directory login to select mapped user account #136 View. Test: Create non admin local user then log in for first time with local AD user. Should prompt to enter login credentials for a local account. Enter credentials and verify that macOS logs in with that user account. Log out and verify that it does not prompt on subsequent logins.
- fixed issue with initial focus View. Test: Reboot and verify you can type without a first click on the textfield. Do this on a non-vm since vm requires window focus.
- #54 [View] (2707322)
- Request: display user password expiration (days left or specific date) in app. #54 View. Test: look at menu item and verify it shows when password expires in AD. verify in AD as well.
- Refresh does not change next password check time #88 View. To test: refresh and verify next password check time is updated.
- changed cartfile to point to github View. No test
- removed framework View No test
- removed framework View No test
- added key for ROPG at login window View. To test: Use the xcreds_example_okta_ropg.mobileconfig testfile that has the shouldUseROPGForOIDCLogin key set to true. Verify that you can log in with test Okta user account.
- partial refactor wip View. No test
- partial refactor wip View No test
- partial refactor wip View No test
- ropg at login window initial implementation [View] (32ad7b3) No test
- cleaned up ropg login code View No test
- hide refresh when on username/password window; move focus to blank password when not entered for username/password window View Test: verify refresh button only shows on web login screens
- fixed menu app password verification View. Test: select Refresh in menu app and verify you can log in with both the AD, ROPG and OIDC.
- added ShareMounter and missing KerbUtil filet View No Test.
- added username / password view to prompt in userspace View. Change password in cloud and launch userspace app. verify it prompts and you can log in and the icon turns green.
- fixed cancel for AD userspace cancel View Test: click cancel when AD prompts to sync local password.
- fixed override script in usersapce View. Test: verify having a override script does not cause crash when specified in profile and refresh selected in menu item app.
- fixed typo View No Test.
XCreds 4.0 Beta 2
What's New
The major version was bumped to v4. Prior beta (Beta 1) was labeled as 3.3 and should be consider v4 Beta 1. So much goodness could not be contained in a minor version bump and only a major version increase would suffice.
Beta 2
fixed Update documented minimum for loginWindowWidth and loginWindowHeight #91
Minimum Height and Width is now 150. Anything less than that will change it to 150.
What to test: Set to lower and higher values and verify it changes as expected.
implemented Prompt for Secure Token Admin Login When Required #123
When logging in at the cloud login window and the local password is not the same as the cloud password, the user is prompted to enter in the local password. If the user does not know the password and there is no adminUsername/admin password defined in an override script or in preferences, the user will be prompted for admin credentials. If admin credentials are given correctly, the user account will be change to the new password and a new keychain will be created (and the old one moved aside).
What to test: Successfully log in as a cloud user and verify all is working. Log out and change cloud password on IdP. Log in again and verify that clicking reset results in correct behavior. Verify cancel buttons work as expected and that bad passwords and username give correct feedback.
implemented feature request: localad/kebereros support for saving groups to prefs #125
When set up to use active directory, logging in as a AD user that is a member of groups will populate the local account with a new attribute called _xcreds_groups and will have the name of the groups as a command separated list.
what to test: In active directory, add user to a few groups. Not that the primary group is not a direct membership ("Domain User") and will not show up. Log in and verify new attribute is populated in user account by opening Directory Utility and viewing the account. Change group membership in AD, log out and log back in, and verify AD groups have been updated via Directory Utility.
fixed ad groups for making admin user
If the preference key "CreateAdminIfGroupMember" and value of an array of strings is defined, the groups the user is part of in AD will be checked against those values, and if one matches, the user will be an admin. This is updated on each login, so adding and removing should change admin membership/
What to test: Log in as a AD user and verify that they are not an admin. Add the user to a group in AD and add that group name to the CreateAdminIfGroupMember preference. Log back in and verify the user is now admin. Repeat test with a new user and make sure the user is an admin at first login.
fixed Active Directory issue after password change #112
When signing in using XCreds as an Active Directory user, if the AD user password is changed and then the user tries to sign again, XCreds sign-in will fail if the new password is entered. XCreds sign-in will succeed if the old password is entered.
What to test: change password and verify correct bahavior.
adding arbitrary claims to local DS user account
A new preference key "claimsToAddToLocalUserAccount" with an array of strings as values was added. Adding in a claim will result in that claim be added to the user's local DS account on next login. By default, if this key is not defined, the groups claim will be added automatically.
what to test: In preferences, add the claims "ipaddr" and "upn" to the claims and login as a user. Verify that the claims show up as xcreds and the value in Directory Utility for the user.
updated animation when logging in
When logging in both as AD and cloud, the button bar should animate by dropping down and the main window should gracefully fade away leaving no trace. A thing of beauty.
what to test: Look at it. Love it.
Detect when no password was entered #17
When no password is detected from the cloud login, it used to fail by returning to the login window. Now there is an error message.
what to test: set the passwordElementID to something that doesn't match the element (like xyzzy) and try and log in. XCreds should log in to the cloud login and not be able to capture the password. An error should then be shown.
updated license agreement (issue #90)
The software license agreement shown when running the installer for v3.1 build 5084 shows last updated date as April 18, 2023. This should be updated to match the SLA provided at https://twocanoes.com/software-license-agreements/
what to test: verify correct date.
refactored code to add admin to user account based on group membership each login (issue #109)
in prior version, admin membership was only checked at initial account login. admin membership is now check at each login and the admin group is updated based on preferences.
what to test: set the CreateAdminIfGroupMember value to the name of an existing to a group they are a membrer of in the iDp and verify they become admin at next login. Remove and verify that they are removed as local admin.
added groups claim value to OD record on each login in _xcreds_oidc_groups (issue #117)
When set up to use OIDC, logging in as a cloud user that is a member of groups will populate the local account with a new attribute called _xcreds_groups and will have the name of the groups as a space separated list.
what to test: In OIDC, add user to a few groups. . Log in and verify new attribute is populated in user account by opening Directory Utility and viewing the account. Change group membership in ODIC, log out and log back in, and verify groups have been updated via Directory Utility.
fixed issue #124: Default behavior wrong for shouldAllowKeyComboForMacLoginWindow
The manifest defines the default for shouldAllowKeyComboForMacLoginWindow as false but when it is not set in a profile the login window allows the key combo to work.
what to test: don't define key and verify it doesn't work, then define and verify it does
Beta 1:
Select Existing User Account During Account Creation
Using the new preference key “shouldPromptForMigration”, when a new login is detected and there are existing standard user accounts on the system, the user will be prompted for a username and password (#98).
If the username and password are successfully entered for an existing account, this local account will then be used when logging in with this cloud account. The local account has 2 new DS attributes added:
dsAttrTypeNative:_xcreds_oidc_sub: Subscriber. Unique identifier for account within the current issuer.
dsAttrTypeNative:_xcreds_oidc_iss: Issuer
In subsequent logins, the user account is selected by matching the sub and iss from the identity token to the values in the local account.
Note that the user will only be prompted if there are existing standard accounts on the system and the login does not have a locally mapped account.
The dialog for migration has a “Create New Account” button that will allow them to skip migration and create a local account. If a local account using the prior logic exists, it will be mapped.
Key Combination for showing Standard and Mac login window
Setting the new preference key “shouldAllowKeyComboForMacLoginWindow” allows switch login between cloud and standard/Mac login using a key combination regardless of the hidden state of the Switch Login Window button (#121). The keys are as follows:
Option-Control-Return: Switch between cloud and standard login window.
Command-Option-Control-Return: Switch between cloud and Mac login window.
Account Alias
When a new preference is set (“aliasName”) to a claim in the identity token, the value in that claim is used to set an alias to the user account, allowing them to login with it.
An example: Set the preferences to have aliasName = “upn”. Log in as [email protected]. The identity token has a claim called “upn” whose value was “[email protected]“. XCreds then adds [email protected] that is an alias and the user can login with either barney or [email protected] at the local and mac login window. This gives the user a consistent way to log in at the cloud login or the standard / Mac login window.
New Features
- Removed logging messages that had a local path from the build system.
- Updates postinstall to better handle the setup assistant and userland install scenarios. Thanks to Clkw0rk for the pull request.
- Reload login window on network changes. Thanks to Clkw0rk for the pull request and credit to @hurricanehrndz and the CPE Team at Yelp
- Reload login window after wifi connected. Thanks to Clkw0rk for the pull request.
- add encoding for special characters to tokenmanager. Thanks to Clkw0rk for the pull request.
- use default desktop from CoreServices. Thanks to Clkw0rk and the CPE Team at Yelp for the pull request.
Contributors
Assets 6
XCreds 3.2.1
XCreds 3.2 results an issue where the last character was not capture when typing the password very quickly and hitting return right away.
XCreds 3.3 Beta 1
Select Existing User Account During Account Creation
Using the new preference key “shouldPromptForMigration”, when a new login is detected and there are existing standard user accounts on the system, the user will be prompted for a username and password (#98).
If the username and password are successfully entered for an existing account, this local account will then be used when logging in with this cloud account. The local account has 2 new DS attributes added:
dsAttrTypeNative:_xcreds_oidc_sub: Subscriber. Unique identifier for account within the current issuer.
dsAttrTypeNative:_xcreds_oidc_iss: Issuer
In subsequent logins, the user account is selected by matching the sub and iss from the identity token to the values in the local account.
Note that the user will only be prompted if there are existing standard accounts on the system and the login does not have a locally mapped account.
The dialog for migration has a “Create New Account” button that will allow them to skip migration and create a local account. If a local account using the prior logic exists, it will be mapped.
Key Combination for showing Standard and Mac login window
Setting the new preference key “shouldAllowKeyComboForMacLoginWindow” allows switch login between cloud and standard/Mac login using a key combination regardless of the hidden state of the Switch Login Window button (#121). The keys are as follows:
Option-Control-Return: Switch between cloud and standard login window.
Command-Option-Control-Return: Switch between cloud and Mac login window.
Account Alias
When a new preference is set (“aliasName”) to a claim in the identity token, the value in that claim is used to set an alias to the user account, allowing them to login with it.
An example: Set the preferences to have aliasName = “upn”. Log in as [email protected]. The identity token has a claim called “upn” whose value was “[email protected]“. XCreds then adds [email protected] that is an alias and the user can login with either barney or [email protected] at the local and mac login window. This gives the user a consistent way to log in at the cloud login or the standard / Mac login window.
New Features
- Removed logging messages that had a local path from the build system.
- Updates postinstall to better handle the setup assistant and userland install scenarios. Thanks to Clkw0rk for the pull request.
- Reload login window on network changes. Thanks to Clkw0rk for the pull request and credit to @hurricanehrndz and the CPE Team at Yelp
- Reload login window after wifi connected. Thanks to Clkw0rk for the pull request.
- add encoding for special characters to tokenmanager. Thanks to Clkw0rk for the pull request.
- use default desktop from CoreServices. Thanks to Clkw0rk and the CPE Team at Yelp for the pull request.
Contributors
Assets 6
XCreds 3.2
ROPG
XCreds now uses ROPG to verify password when logged in. Very useful with Okta and other IdP that do not support token refresh. Requires preferences ropgClientID, ropgClientSecret, and shouldVerifyPasswordWithRopg. Thanks to hurricanehrndz for this pull request.
New Features
New preference key to force local login: shouldPreferLocalLoginInsteadOfCloudLogin . Thanks to jamesez for the pull request.
New preference key show login window based on detecting network status: shouldDetectNetworkToDetermineLoginWindow.
Added self healing for auth rights
Added support for keyboard nav for controls
Detect offline and automatically switch to local login.
Bug Fixes
Remove trailing and leading spaces entered in username
XCreds 3.1
XCreds 3.1
Active Directory Login
New username and password window allows logging in with local user or Active Directory (if ADDomain key is defined).
New Username and Password Window
We no longer use the macOS login window and use the new XCreds username/password window. This allows for faster switching and Active Directory login.
Switch to Login Window at Screen Saver
When the "shouldSwitchToLoginWindowWhenLocked" key is set and XCreds is running in the user session and the screen is locked, the lock screen will fast user switch to the login window.
When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will log in with the XCreds Login Window to resume the session.
Admin Group
If group membership is returned in the "groups" claim and matches the group defined in the "CreateAdminIfGroupMember" preference, the user will be created as admin.
kerberos ticket
When app is first launched and there is a keychain item with an AD account and local password, a kerberos ticket will be attempted.
Override Preference Script
Most preferences can now be overwritten by specifying a script at the path defined by "settingsOverrideScriptPath". This script, if it exists, owned by _securityagent, and has permissions 700 (accessible only by _securityagent) must return a valid plist that defines the key/value pairs to override in preferences. This allows for basing preferences based on the local state of the machine. It is important for the "localAdminUserName" and "localAdminPassword" keys. See Reset Keychain for more information on this. The override script can also be used for querying the local state and setting preferences. For example, to randomly set the background image, a sample script "settingsOverrideScriptPath" defines a script:
#!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=`/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1`
cat /usr/local/xcreds/override.plist|sed "s|DESKTOPPICTUREPATH|${desktoppicture}|g"
The plist would be defined as:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>loginWindowBackgroundImageURL</key>
<string>file://DESKTOPPICTUREPATH</string>
</dict>
</plist>
Reset Keychain
In prior versions of XCreds, the ability to reset the keychain if the user forgets their local password would fail due to the lack of an admin user with a secure token. This would cause the "PasswordOverwriteSilent" to fail.
The "settingsOverrideScriptPath" (see above) can return the admin username and password of an admin account that has a secure token. This admin user is then used to reset the user's keychain if they forgot their local password. This can either be done with user prompting or silently.
The script can find those keys via curl, in system keychain, or in a LAPS file and return the values inside the plist that is returned. This gives flexibility in determining the security required for the local admin username and password.
Note that XCreds assumes an admin user with a secure token already exists on the machine and XCreds does not create or manage this user. If you manage local admin via a LAPS system, you can return the password from the local password file.
An example of an override script to return username and password are as follows:
Override Script:
#!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1
#this is provided as an example. DO NOT KEEP ADMIN CREDENTIALS ON DISK! Use curl or other method for getting them temporarily.
admin_username="tcadmin"
admin_password="twocanoes"
cat /usr/local/xcreds/override.plist | sed "s|LOCALADMINUSERNAME|${admin_username}|g" | sed "s|LOCALADMINPASSWORD|${admin_password}|g"
plist:
`<?xml version="1.0" encoding="UTF-8"?>`
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>localAdminUserName</key>
<string>LOCALADMINUSERNAME</string>
<key>localAdminPassword</key>
<string>LOCALADMINPASSWORD</string>
</dict>
</plist>
Others
- added shake to password field
- added dialog over login window when in an error state
- improved code when local password policy does not allow setting password from cloud.
- Added about menu with history
New Keys
ADDomain
The desired AD domain
usernamePlaceholder
Placeholder text in local / AD login window for username
passwordPlaceholder
Placeholder text in local / AD login window for password
shouldShowLocalOnlyCheckbox
Show the local only checkbox on the local login page
CreateAdminIfGroupMember
List of groups that should have its members created as local administrators. Set as an Array of Strings of the group name.
shouldSwitchToLoginWindowWhenLocked
When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session.
settingsOverrideScriptPath
Script to override defaults. Must return valid property list with specified defaults. Script must exist at path, be owned by root and only writable by root.
localAdminUserName
Username of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to set up a secure token for newly created users.
localAdminPassword
Password of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to set up a secure token for newly created users.
shouldShowCloudLoginByDefault
Determine if the Mac login window or the cloud login window is shown by default
shouldShowMacLoginButton
Show the Mac Login Window button in XCreds Login
shouldShowTokenUpdateStatus
Show the time when the password will be checked. True by default.