XCreds - Log in to your Mac with your Cloud Password (macOS PKG)

~~Note that this is a collaborative draft. Posting it to get feedback.~~

Overview

XCreds supercharges your Mac login window. Use your Azure, Google Cloud, Okta or any OpenID Connect password to log in to your Mac. XCreds verifies the password with your identity provider and saves the tokens to the user keychain for validation that the cloud password is in sync with the local password. Perfect. This article will show you how to use it with FileWave.

This article will give you as much detail as possible to help you get started, but this is incredibly easy software to deploy and configure and we'll show you how below.

XCreds has two components:

~~the~~

XCreds app ~~that~~-- runs in user space

~~and~~

XCreds Login ~~window~~Window ~~that is a~~-- security agent ~~that~~which runs when the user is logging in to ~~their~~macOS

~~Mac.~~

Both the security agent and the app share keychain items in the user’s keychain to keep track of the current local password and the tokens from the cloud provider. Both items prompt the user with a web view to authenticate to their cloud provider, verify login was ~~successful,~~successful and then update both the local password and user keychain passwords as needed.

Features

Login Window log in to OIDC provider
Support for Azure, Google Cloud, Okta and any OIDC provider
Initial account provisioning
WiFi Login Window configuration
Restart and shutdown from Login Window
Profile manifest available for easy configuration
Local password update with IdP password
Prompt for IdP password when changed
Login Keychain password updating
Customizable preferences
Easy deployment
Uses OpenID Connect

Attractive and pleasing menu icon
Easy configuration with profile / MDM
Profile Manifest for Profile Creator Support
Two-Factor and Multi-Factor support
New username and password window
Able to create a user as an admin using group member preference
Kerberos ticket
Switch to login window at screensaver
Reset keychain
Most preferences are now able to be overridden
Added shake to the password field

Getting Started

You'll want to review their Pricing ( https://twocanoes.com/products/mac/xcreds/#pricing ) but it's very reasonable and you can download the software and get started for free.

Download the latest PKG: Download XCreds
Review the Admin Guide: XCreds Admin Guide
Once ~~you purchase~~purchased, take a look about the license file: Install Software License Configuration Profile
Depending on the directory system you use:
- ~~Azure Setup -~~ ~~XCreds Setup with Azure OIDC~~
  - ~~Example plist config:~~ ~~example Azure mobileconfig file~~
- ~~Okta Setup -~~ ~~XCreds Setup with Okta~~
  - ~~Example plist config:~~ ~~example Okta mobileconfig file~~
- ~~Google Setup -~~ ~~XCreds Setup with Google OIDC~~
  - ~~Example plist config:~~ ~~example Google mobileconfig file~~

IdP	Microsoft Entra (Azure)	Okta	Google
Vendor Specific Instructions	Microsoft Setup	Okta Setup	Google Setup
Example Plist	Microsoft Plist	Okta Plist	Google Setup

Installing with FileWave

~~This~~Example, ~~section~~pre-created ~~I believe is the only one that needs heavy work. Help us build out this section to make it great. Comment at the bottom (must be logged in) or chat over on~~ ~~FileWave Discord Server~~

This is a PKG installer that includes a configuration file. The Requirements script looks for the mobileconfig to be installed and so these 2 components of fileset + profile work together. It looks straightforward.

~~We need to document:~~Fileset:

~~Install~~Xcreds ~~the plist for Azure, Okta or Google (see above examples)~~Fileset
~~Install~~

The provided Fileset includes:

PKG installer (~~requirements~~included ~~tests if a profile~~version is ~~present but this needs a tweak because right now it just looks for a specific ID for an azure example) -~~ ~~PKG - XCreds.fileset.zip~~ ~~it has their~~ latest build as of ~~Jul~~21/07/23)

~~21.~~

Uninstallation Script

Reboot flag enabled. The Fileset will trigger a reboot at the end of activation

Steps

PKG Fileset

Create a new Fileset Group for XCreds and then either:

Add the provided Fileset into this group

Download the latest version of XCreds PKG and drag this into the XCreds Fileset Group

If the second option is actioned, the provided uninstaller will not be included, but could be added, based upon the details shown below in the uninstaller section.

IdP Configuration

Profile Creation

Download Profile Creator App and the twocanoes manifest from the Profile Creator page:

Intwocanoes Profile Manifest

On the computer running Profile Creator, add the manifest to the following user location:

~/Library/Application\ Support/ProfilePayloads/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist

Run Profile Creator and add any items required from the chosen IdP settings, for example: Client ID, DiscoveryURL, etc. and save.

For Microsoft DiscoveryURL, edit the plist, replacing 'common' with the Directory (Tenant) ID if available. For example: discoveryURL = https://login.microsoftonline.com/5c3864d2-38e9-5555-8888-621b9d17fd46/.well-known/openid-configuration

This Profile may now be used to create a Profile Fileset. Do so, by dragging this mobileconfig file to the same XCreds Fileset Group where the XCreds PKG Fileset resides. For example:

The contents of the XCreds payload are beyond the scope of the FileWave interface. Once imported to FileWave, the Payload may not be edited directly within FileWave. Any attempt to view the Payload will fail to show the XCreds portion of the Payload; ensure to Cancel and not save if opened. For the same reason, it is anot ~~settings~~possible ~~file~~to ~~and~~duplicate ~~those~~this ~~settings~~Fileset either. Any editing should be ~~set~~handled bywithin ~~customer~~Profile Creator and ~~configured~~the ~~before~~Payload ~~pushing~~re-uploaded ~~out.~~to FileWave.

Testing

The Fileset ~~reboots~~Group ~~machine~~may now be associated with one or more test devices, as seen fit. Use the above details for the licence file during testing.

Once tested and all is ~~good~~

~~Once this section is built out then we can remove~~good, the ~~red~~scope ~~banner~~of ~~above.~~association may be increased and once purchased, the licence details should be pushed as another Profile. This may also be added to the same XCreds Fileset Group

Uninstalling

Below is from their website, but this is incorporated in to the Fileset that is on this article as well so you can simply break the association and it will uninstall.

To remove XCreds Login, restore the backup security agent rules and remove the launch agent, run: sudo /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -r
Drag the XCreds app to the trash.

Support

The ~~Twocanoes~~twocanoes Software Knowledge Base is located at https://twocanoes.com/knowledge-base/ but you can also chat on our FileWave Discord Server with other customers as well. Please join the XCreds channel on MacAdmins Slack for any questions you have directly for ~~Twocanoes.~~twocanoes. Paid support is also available from ~~Twocanoes~~twocanoes Software.

XCreds - Log in to your Mac with your Cloud Password (macOS PKG)

Overview

Features

Getting Started

Installing with FileWave

Steps

PKG Fileset

IdP Configuration

Profile Creation

Testing

Uninstalling

Support

Related Content