# XCreds - Log in to your Mac with your Cloud Password (macOS PKG) ## Description

XCreds supercharges your Mac login window. Use your Azure, Google Cloud, Okta or any OpenID Connect password to log in to your Mac. XCreds verifies the password with your identity provider and saves the tokens to the user keychain for validation that the cloud password is in sync with the local password. Perfect. This article will show you how to use it with FileWave.

This article will give you as much detail as possible to help you get started, but this is incredibly easy software to deploy and configure and we'll show you how below.

## Ingredients - FW Admin - Example Fileset - [PKG - XCreds.fileset.zip](https://kb.filewave.com/attachments/210) - Configuration files - [Configuration + License](#bkmrk-software---download-) ## Directions

XCreds has two components: - XCreds app -- runs in user space - XCreds Login Window -- security agent which runs when the user is logging in to macOS Example Login Window: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/MJPAjQvRJE8CqM8w-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/MJPAjQvRJE8CqM8w-image.png) Both the security agent and the app share keychain items in the user’s keychain to keep track of the current local password and the tokens from the cloud provider. Both items prompt the user with a web view to authenticate to their cloud provider, verify login was successful and then update both the local password and user keychain passwords as needed.

### Features

- Login Window log in to OIDC provider - Support for Azure, Google Cloud, Okta and any OIDC provider - Initial account provisioning - WiFi Login Window configuration - Restart and shutdown from Login Window - Profile manifest available for easy configuration - Local password update with IdP password - Prompt for IdP password when changed - Login Keychain password updating - Customizable preferences - Easy deployment - Uses OpenID Connect

- Attractive and pleasing menu icon - Easy configuration with profile / MDM - [Profile Manifest](https://github.com/ProfileCreator/ProfileManifests) for [Profile Creator](https://github.com/ProfileCreator/ProfileCreator) Support - Two-Factor and Multi-Factor support - New username and password window - Able to create a user as an admin using group member preference - Kerberos ticket - Switch to login window at screensaver - Reset keychain - Most preferences are now able to be overridden - Added shake to the password field

### Getting Started You'll want to review their Pricing ( [https://twocanoes.com/products/mac/xcreds/#pricing](https://twocanoes.com/products/mac/xcreds/#pricing) ) but it's very reasonable and you can download the software and get started for free.

- Download the latest PKG: [Download XCreds](https://twocanoes-software-updates.s3.amazonaws.com/XCreds.pkg) - Review the Admin Guide: [XCreds Admin Guide](https://twocanoes.com/knowledge-base/xcreds-admin-guide/) - Once purchased, take a look about the license file: [Install Software License Configuration Profile](https://twocanoes.com/knowledge-base/install-software-license-configuration-profile/) - Depending on the directory system you use:

IdP	Microsoft Entra (Azure)	Okta	Google
Vendor Specific Instructions	[Microsoft Setup](https://twocanoes.com/knowledge-base/xcreds-setup-with-azure-oidc/)	[Okta Setup](https://twocanoes.com/knowledge-base/xcreds-setup-with-okta/)	[Google Setup](https://twocanoes.com/knowledge-base/xcreds-setup-with-google-oidc/)
Example Plist	[Microsoft Plist](https://twocanoes-app-resources.s3.amazonaws.com/xcreds/xcreds_example_azure.mobileconfig)	[Okta Plist](https://twocanoes-app-resources.s3.amazonaws.com/xcreds/okta/XCredsOktaTest.mobileconfig)	[Google Setup](https://twocanoes-app-resources.s3.amazonaws.com/xcreds/xcreds_example_google.mobileconfig)

### Installing with FileWave Example, pre-created Fileset: - [Xcreds Fileset](https://kb.filewave.com/attachments/210) The provided Fileset includes: - PKG installer (included version is latest build as of 21/07/23) - Uninstallation Script - Reboot flag enabled. The Fileset will trigger a reboot at the end of activation #### Steps ##### PKG Fileset Create a new Fileset Group for XCreds and then either: 1. Add the provided Fileset into this group 2. Download the latest version of XCreds PKG and drag this into the XCreds Fileset Group

If the second option is actioned, the provided uninstaller will not be included, but could be added, based upon the details shown below in the uninstaller section.

##### IdP Configuration Follow the related IdP twocanoes documentation to configure the IdP App. Details from this App will be required in the next step. ##### Profile Creation Download ProfileCreator App and the twocanoes manifest from the Profile Creator page: - [ProfileCreator App Releases Page](https://github.com/ProfileCreator/ProfileCreator/releases) - [twocanoes Profile Manifest](https://github.com/ProfileCreator/ProfileManifests/blob/master/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist) On the computer running Profile Creator, add the manifest to the following user location: ``` ~/Library/Application\ Support/ProfilePayloads/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist ``` Run Profile Creator and add any items required from the chosen IdP settings, for example: Client ID, DiscoveryURL, etc. and save. [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/wy8603IOWVVXmmYr-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/wy8603IOWVVXmmYr-image.png)

For Microsoft DiscoveryURL, edit the plist, replacing 'common' with the Directory (Tenant) ID if available. For example: discoveryURL = https://login.microsoftonline.com/5c3864d2-38e9-5555-8888-621b9d17fd46/.well-known/openid-configuration

This Profile may now be used to create a Profile Fileset. Do so, by dragging this mobileconfig file to the same XCreds Fileset Group where the XCreds PKG Fileset resides. For example: [![image.png](https://kb.filewave.com/uploads/images/gallery/2023-07/scaled-1680-/uzlukxsVdfSGg5PF-image.png)](https://kb.filewave.com/uploads/images/gallery/2023-07/uzlukxsVdfSGg5PF-image.png)

The contents of the XCreds payload are beyond the scope of the FileWave interface. Once imported to FileWave, the Payload may not be edited directly within FileWave. Any attempt to view the Payload will fail to show the XCreds portion of the Payload; ensure to Cancel and not save if opened. For the same reason, it is not possible to duplicate this Fileset either. Any editing should be handled within Profile Creator and the Payload re-uploaded to FileWave.

##### Testing The Fileset Group may now be associated with one or more test devices, as seen fit. Use the above details for the licence file during testing. Once tested and all is good, the scope of association may be increased and once purchased, the licence details should be pushed as another Profile. This may also be added to the same XCreds Fileset Group

### Uninstalling Below is from their website, but this is incorporated in to the Fileset that is on this article as well so you can simply break the association and it will uninstall. 1. To remove XCreds Login, restore the backup security agent rules and remove the launch agent, run: `sudo /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -r` 2. Drag the XCreds app to the trash. ### Support The twocanoes Software Knowledge Base is located at [https://twocanoes.com/knowledge-base/](https://twocanoes.com/knowledge-base/) but you can also chat on our [FileWave Discord Server](https://kb.filewave.com/books/community-engagement/page/filewave-discord-server "FileWave Discord Server") with other customers as well. Please join the [XCreds channel on MacAdmins Slack](https://macadmins.slack.com/archives/C03GBF2DE7P) for any questions you have directly for twocanoes. Paid support is also [available from twocanoes Software](https://twocanoes.com/products/mac/xcreds/). ### Related Content - [IdP Setup: Microsoft Entra ID](https://kb.filewave.com/books/identity-provider-idp-integration/page/idp-setup-microsoft-entra-id "IdP Setup: Microsoft Entra ID") - [IdP Setup: Okta](https://kb.filewave.com/books/identity-provider-idp-integration/page/idp-setup-okta "IdP Setup: Okta") - [IdP Setup: Google](https://kb.filewave.com/books/identity-provider-idp-integration/page/idp-setup-google "IdP Setup: Google")