Releases: twocanoes/xcreds
Prerelease 3.1.4144
What's New In XCreds
XCreds 3.1
Active Directory Login
New username and password window allows logging in with local user or Active Directory (if ADDomain key is defined).
New Username and Password Window
We no longer use the macOS login window and use the new XCreds username/password window. This allows for faster switching and Active Directory login.
Switch to Login Window at Screen Saver
When the "shouldSwitchToLoginWindowWhenLocked" key is set and XCreds is running in the user session and the screen is locked, the lock screen will fast user switch to the log
When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session.
Admin Group
If group membership is returned in the "groups" claim and matches the group defined in the "CreateAdminIfGroupMember" preference, the user will be created as admin.
kerberos ticket
When app is first launched and their is a keychain item with a AD account and local password, a kerberos ticket will be attempted.
Override Preference Script
Most preferences can now be overwritten by specifying a script at the path defined by "settingsOverrideScriptPath". This script, if it exists, owned by root, and has permissions 755 (writable only by root, readable and executable by all) must return a valid plist that defines the key/value pairs to override in preferences. This allows for basing preferences based on the local state of the machine. It is important for the "localAdminUserName" and "localAdminPassword" keys. See Reset Keychain for more information on this. The overide script can also be used for querying the local state and setting preferences. For example, to randomly set the background image, a sample script "settingsOverrideScriptPath" defines a script:
!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=`/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1`
cat /usr/local/xcreds/override.plist|sed "s|DESKTOPPICTUREPATH|${desktoppicture}|g"
The plist would defined as:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>loginWindowBackgroundImageURL</key>
<string>file://DESKTOPPICTUREPATH</string>
</dict>
</plist>
Reset Keychain
In prior versions of XCreds, the ability to reset the keychain if the user forgets their local password would fail due to the lack of a admin user with a secure token. This would cause the "PasswordOverwriteSilent" to fail.
The "settingsOverrideScriptPath" (see above) can return the admin username and password of an admin account that has a secure token. This admin user is then used to reset the user's keychain if they forgot their local password. This can either be done with user prompting or silently.
The script can find those keys via curl, in system keychain, or in a LAPS file and return the values inside the plist that is returned. This gives flexablity in determining the security required for the local admin username and password.
Note that XCreds assumes an admin user with a secure token already exists on the machine and XCreds does not create or manage this user. If you manage local admin via a LAPS system, you can return the password from the local password file.
An example of an override script to return username and password are as follows:
Override Script:
!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1
#this is provided as an example. DO NOT KEEP ADMIN CREDENTIALS ON DISK! Use curl or other method for getting them temporarily.
admin_username="tcadmin"
admin_password="twocanoes"
cat /usr/local/xcreds/override.plist | sed "s|LOCALADMINUSERNAME|${admin_username}|g" | sed "s|LOCALADMINPASSWORD|${admin_password}|g"
plist:
`<?xml version="1.0" encoding="UTF-8"?>`
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>localAdminUserName</key>
<string>LOCALADMINUSERNAME</string>
<key>localAdminPassword</key>
<string>LOCALADMINPASSWORD</string>
</dict>
</plist>
Others
- added shake to password field
New Keys
ADDomain
The desired AD domain
CreateAdminIfGroupMember
List of groups that should have its members created as local administrators. Set as an Array of Strings of the group name.
shouldSwitchToLoginWindowWhenLocked
When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session.
settingsOverrideScriptPath
Script to override defaults. Must return valid property list with specified defaults. Script must exist at path, be owned by root and only writable by root.
localAdminUserName
Username of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users.
localAdminPassword
Password of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users.
shouldFindPasswordElement
Selects the password element field in the web page by finding a form element that has bullets (input is password)
shouldShowCloudLoginByDefault
Determine if the mac login window or the cloud login window is shown by default
shouldShowMacLoginButton
Show the Mac Login Window button in XCreds Login
Version 3.0 Build 3607
Released 2023-04-19
- Updated license
- Fixed typo
- Fixed issue with crash if time is too far off
- Fixed regression for password change not capturing new password on Azure
- Added trial license
- Version 2.4
- Added 802.1x support; added support for pref key for finding password based on type=password
- Fixed changing wifi not dismissing dialog
- Fixed issue with autorefresh
- Added frontmost when prompting for keychain password
- Fixed crashing issue due to null refreshview outlet
- Fixed names and links in manifest
- Tweaked text for user space refresh token window and added pref to show or hide
- Updated sample config
- Fixed focus issue
- Fixed login window size and background image
- Added in login window height/width min value of 100
- Added key for customizing return to XCreds; added preference and ability to automatically refresh login window
- Updated language on keychain option and added pref in manifest
- Added remove keychain option
Version 2.3
- Added more logging for id token
- Removed progress screen overlay because it was hiding filevault
- Added sub as local user account if other methods not available; added some additional logging
- Removed test time
- Fixed edge case when not showing xcreds login when logging out
- Fixed shouldShowCloudLoginByDefault not working
- Fixed timer issue
- Removed show prefs menu
- Implemented PasswordOverwriteSilent
- Implemented KeychainReset
- Added credit to script
- Added startup script
- Username hint was not being set
- Renamed mapped prefs with a prefix
- Changed case of keys
- Made keys lowercase for mappings
- Added new key for OIDC mapping
Version 2.2
- Added mappings for user info
Version 2.1
- Initial release
Prerelease 3.1.4081
XCreds 3.1
Active Directory Login
New username and password window allows logging in with local user or Active Directory (if ADDomain key is defined).
New Username and Password Window
We no longer use the macOS login window and use the new XCreds username/password window. This allows for faster switching and Active Directory login.
Admin Group
If group membership is returned in the "groups" claim and matches the group defined in the "CreateAdminIfGroupMember" preference, the user will be created as admin.
Override Preference Script
Most preferences can now be overwritten by specifying a script at the path defined by "settingsOverrideScriptPath". This script, if it exists, owned by root, and has permissions 755 (writable only by root, readable and executable by all) must return a valid plist that defines the key/value pairs to override in preferences. This allows for basing preferences based on the local state of the machine. It is important for the "localAdminUserName" and "localAdminPassword" keys. See Reset Keychain for more information on this. The overide script can also be used for querying the local state and setting preferences. For example, to randomly set the background image, a sample script "settingsOverrideScriptPath" defines a script:
!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=`/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1`
cat /usr/local/xcreds/override.plist|sed "s|DESKTOPPICTUREPATH|${desktoppicture}|g"
The plist would defined as:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>loginWindowBackgroundImageURL</key>
<string>file://DESKTOPPICTUREPATH</string>
</dict>
</plist>
Reset Keychain
In prior versions of XCreds, the ability to reset the keychain if the user forgets their local password would fail due to the lack of a admin user with a secure token. This would cause the "PasswordOverwriteSilent" to fail.
The "settingsOverrideScriptPath" (see above) can return the admin username and password of an admin account that has a secure token. This admin user is then used to reset the user's keychain if they forgot their local password. This can either be done with user prompting or silently.
The script can find those keys via curl, in system keychain, or in a LAPS file and return the values inside the plist that is returned. This gives flexablity in determining the security required for the local admin username and password.
Note that XCreds assumes an admin user with a secure token already exists on the machine and XCreds does not create or manage this user. If you manage local admin via a LAPS system, you can return the password from the local password file.
An example of an override script to return username and password are as follows:
Override Script:
!/bin/sh
dir="/System/Library/Desktop Pictures"
desktoppicture=/bin/ls -1 "$dir"/*.heic | sort --random-sort | head -1
#this is provided as an example. DO NOT KEEP ADMIN CREDENTIALS ON DISK! Use curl or other method for getting them temporarily.
admin_username="tcadmin"
admin_password="twocanoes"
cat /usr/local/xcreds/override.plist | sed "s|LOCALADMINUSERNAME|${admin_username}|g" | sed "s|LOCALADMINPASSWORD|${admin_password}|g"
plist:
`<?xml version="1.0" encoding="UTF-8"?>`
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>localAdminUserName</key>
<string>LOCALADMINUSERNAME</string>
<key>localAdminPassword</key>
<string>LOCALADMINPASSWORD</string>
</dict>
</plist>
New Keys
ADDomain
The desired AD domain
CreateAdminIfGroupMember
List of groups that should have its members created as local administrators. Set as an Array of Strings of the group name.
shouldSwitchToLoginWindowWhenLocked
When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session.
settingsOverrideScriptPath
Script to override defaults. Must return valid property list with specified defaults. Script must exist at path, be owned by root and only writable by root.
localAdminUserName
Username of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users.
localAdminPassword
Password of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users.
shouldFindPasswordElement
Selects the password element field in the web page by finding a form element that has bullets (input is password)
shouldShowCloudLoginByDefault
Determine if the mac login window or the cloud login window is shown by default
shouldShowMacLoginButton
Show the Mac Login Window button in XCreds Login
| Name | Type | Required | Description |
|---|---|---|---|
| ADDomain | string | The desired AD domain | |
| clientID | string | always | The OIDC client id public identifier for the app. |
| clientSecret | string | Client Secret sometimes required by identity provider. | |
| CreateAdminUser | boolean | When set to true and the user account is created, the user will be a local admin. | |
| CreateAdminIfGroupMember | array | List of groups that should have its members created as local administrators. Set as an Array of Strings of the group name. | |
| shouldSwitchToLoginWindowWhenLocked | boolean | When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session. | |
| discoveryURL | string | always | The discovery URL provided by your OIDC / Cloud provider. |
| EnableFDE | boolean | Enabled FDE enabled at first login on APFS disks. | |
| EnableFDERecoveryKey | boolean | Save the Personal Recovery Key (PRK) to disk for the MDM Escrow Service to collect. | |
| EnableFDERecoveryKeyPath | string | Specify a custom path for the recovery key. | |
| EnableFDERekey | boolean | Rotate the Personal Recovery Key (PRK). | |
| loginWindowWidth | integer | Login Window webview width (Integer). If this is not defined, it will be full width. Minimum value of 100. | |
| loginWindowHeight | integer | Login Window webview height (Integer). If this is not defined, it will be full height. Minimum value of 100. | |
| loginWindowBackgroundImageURL | string | URL to an image to show in the background while logging in. | |
| passwordChangeURL | string | Add a menu item for changing the password that will open this URL when the menu item is selected. | |
| redirectURI | string | URI to redirect to when authentication is complete. | |
| refreshRateHours | integer | Number of hours for checking for password changes. Default is 3 hours. Minimum is 1 hour. | |
| scopes | string | OIDC Scopes | |
| shouldSetGoogleAccessTypeToOffline | boolean | When using Google IdP, a refresh token may need be requested in a non-standard way. | |
| shouldShowCloudLoginByDefault | boolean | Determine if the mac login window or the cloud login window is shown by default | |
| autoRefreshLoginTimer | integer | Timer for automatically refreshing login screen in seconds. If set to 0, does not automatically refresh. | |
| cloudLoginText | string | ... |
XCreds 3.0
Version 3.0 Build 3607
Released 2023-04-19
Updated license
Fixed typo
Fixed issue with crash if time is too far off
Fixed regression for password change not capturing new password on Azure
Added trial license
XCreds 2.4
- fixed changing wifi not dismissing dialog
- fixed issue with autorefresh
- added frontmost when prompting for keychain password
- fixed crashing issue due to null refreshview outlet
- fixed names and links in manifest
- tweaked text for user space refresh token window and added pref to show or hide
- updated sample configu
- fixed focus issue
- fixed login window size and background image
- added in login window height/width min value of 100
- added key for customizing return to xcreds; added preference and ability to automatically refresh login window
- updated language on keychain option and added pref in manifest
- added remove keychain option
- added more logging for id token and bumped version to 2.3
- remove progress screen overlay because it was hiding filevault
- added sub as local user account if other methods not available; added some additional logging
- removed test time
- fixed edge case when not showing xcreds login when logging out
- fixed shouldShowCloudLoginByDefault not working
- fixed timer issue
- removed show prefs menu
- implemented PasswordOverwriteSilent
- implemented KeychainReset
- added credit to script
- added startup script
- username hint was not being set
- renamed mapped prefs with a prefix
- changed case of keys
- made keys lowercase for mappings
- added new key for OIDC mapping
XCreds 2.2
- (origin/develop, develop) remove progress screen overlay because it was hiding filevault
- added sub as local user account if other methods not available; added some additional logging
- removed test time
- fixed edge case when not showing xcreds login when logging out
- fixed shouldShowCloudLoginByDefault not working
- fixed timer issue
- removed show prefs menu
- implemented PasswordOverwriteSilent
- implemented KeychainReset
- added credit to script
- added startup script
- username hint was not being set
- renamed mapped prefs with a prefix
- changed case of keys
- made keys lowercase for mappings
- added new key for OIDC mapping
- (origin/feature-mappings, feature-mappings) added mappings for user info
- Update README.md
- (origin/release-2.1) removed spaces
- removed registration reminder
- added idhostnames array so you can specify multiple tenants
- added shouldShowCloudLoginByDefault user default
- fixed notification prompt
- removed "prompt":"consent"
- added a bit more logging
- added okta compatibility
- added autologin when fv enabled
- Merge pull request #37 from kenchan0130/fix-issue-36
- Merge pull request #38 from kenchan0130/patch-azure-1
- Merge pull request #39 from kenchan0130/patch-2
- If fullname is empty, shortname is used.
- Support a Azure AD host
- enabled rekeying FileVault implementation
- Update README.md
- fixed package template issue and updated manifest
- changed pref names for custom IDP / ADFS
XCreds 2.0
Login Window log in to OIDC provider
Support for Azure, Google Cloud, Okta and any OIDC provider
Initial account provisioning
WiFi Login Window configuration
Restart and shutdown from Login Window
Profile manifest available for easy configuration
Local password update with IdP password
Prompt for IdP password when changed
Login Keychain password updating
Customizable preferences
Easy deployment
Uses OpenID Connect
Attractive and pleasing menu icon
Easy configuration with profile / MDM
Profile Manifest for Profile Creator Support
Two-Factor and Multi-Factor support
prebeta
Initial Release v1.0.0
Initial Release