What’s New in XCreds 5.8

Created On
Last Updated On
byDave Lebbing
You are here:

Build 9058

This version is available to download from XCreds Version History.

XCreds supercharges your Mac login window. Use your Azure, Google Cloud, Okta or any OpenID Connect password to log in to your Mac. XCreds verifies the password with your identity provider and saves the tokens to the user keychain for validation that the cloud password is in sync with the local password.

Update Overview

XCreds 5.8 fixes an issue that required canceling the version 5.7 release due to a password handling issue related to the FileVault Unlock feature. It also adds an option to use LDAP for password change checking.

FileVault Unlock

This update introduces a new feature that can help with Macs using FileVault. When FileVault is turned on and a Mac is restarted, it can appear that the XCreds login screen is not shown because macOS first shows the FileVault unlock screen, which looks almost exactly like the macOS login screen. Previously to ensure the XCreds login screen was shown it was necessary to disable macOS FileVault passthrough and resulted in either multiple authentication or no cloud authentication at the Login Window. The new FileVault Unlock feature unlocks FileVault using credentials stored in the keychain or by using admin credentials securely entered using XCreds command-line-interface. With FileVault automatically unlocked after restart, the XCreds login screen will always be shown and the Mac will remain available on the network for remote management.

Since FileVault is unlocked automatically at start up, the security implications of this process should be considered for your organization. The FileVault login window requires the user to unlock the disk prior to macOS booting, which adds in additional security features that will be disabled if the FileVault Login Window is unlock automatically. Please see the Apple Platform Security Guide for details on the security features that the FileVault login window provides.

To use the FileVault Unlock feature, begin by setting either of the new preference keys shown below. The first preference key option, shouldSkipFileVaultLogin, will use the current user credentials stored in the menubar app after login and requires no additional setup. The limitation of this option is that if the Mac is restarted an additional time from the login screen instead of from user-space, the menubar app will not be able to unlock FileVault.

The second preference key option, shouldSkipFileVaultLoginAdmin, gets around this limitation and can unlock FileVault even if the Mac is restarted multiple times from the login screen. But to use it the Mac must be configured to store admin credentials using XCreds command-line-interface.

Both FileVault Unlock options are opt-in and will only be relevant if the Mac is using FileVault and the chosen preference key is set to true.

Fix Issue with Password Handling Related to FileVault Unlock

In XCreds 5.7, when using FileVault Unlock the password was passed to the command line tool fdesetup as a command line argument to unlock FileVault at the next restart. If a user were to monitor a process listing, the password could be viewed. The 5.7 release was available for less than 24 hours, we notified customers to wait for a fix, and removed the release of XCreds 5.7. The shouldSkipFileVaultLogin and shouldSkipFileVaultLoginAdmin preference keys were off by default and this issue only applied if the keys were set to true.

XCreds 5.8 now provides the settings to fdesetup in a way that are not visible to users or process monitoring (using the -inputplist option).

New Preference Keys

  1. shouldSkipFileVaultLogin
  2. shouldSkipFileVaultLoginAdmin
  3. shouldUseLDAPForPasswordChangeChecking

All Changes

  • Fix autofill for non XCreds user
  • Save password to user keychain for local users
  • Implement FileVault unlock option
  • Fix ROPG prompting issue
  • Fix issue with not prompting and password changing
  • Fix cloud login screen password detection if form has option to show password
  • Fix issue with password handling related to FileVault unlock
  • Add option to use LDAP for password change checking

Connect With Us

Sign Up for XCreds Security and Product Updates

Enter your information below to receive email updates when there is new information specifically regarding this product and how to use it. Alternatively, to receive email updates for general information from Twocanoes Software, please see the Subscribe page.

Name
Tags: