About the school: Spring Lake Park Schools, in the Northern Suburbs of Minneapolis/St. Paul, is a school district known for small class sizes, preparing students for career and college, and a personalized approach to learning where each student is known by name, strength, interest and need. They serve 6,200+ students in their area.
Where XCreds is in their organization: Currently, XCreds is deployed in almost 600 Macs across their network, nearly all their managed Macs. They hope to put XCreds in all of the machines used by their staff and students in the near future. Their network is a hybrid environment of Microsoft Active Directory and Azure AD. They have over 750 Macbooks, 7000 iPads and Apple TVs, and a few dozen Windows-based PCs.
How they started using XCreds: They have used Twocanoes products for years (specifically Push Diagnostics and MDS). So, when they heard about XCreds, they wanted to try it, mainly because when going from open-source freeware like NoMAD, which they had previously, it is difficult to look at the cost of the competing products and justify that to a business office. “Remember that app we used that’s been free for years? Well now we need one that will cost us 10,000 times that!”. They wanted a solution that allowed their workforce to be more mobile and secure by way of Azure AD while also being cost-effective, and this is what they found in XCreds.
The Problem: There were a few issues that they were looking to solve with XCreds. One was that their login software, NoMAD and NoMAD Login, had essentially been abandoned by the developer once aspects of it were rolled into a commercial product, and the original developer left the company. The last update to either product was a few years ago, at this point, and there’s been an increasing number of issues that can’t be fixed because the software is no longer being updated. Their staff has become more mobile and flexible, and using NoMAD, which only allows you to connect to an on-site Active Directory server, caused help desk issues and tickets when staff would change their passwords offsite. Many of their services have also been moving into Azure AD and Microsoft 365 and they were looking for an app that would be compatible with this at a reasonable cost.
Deploying the software: Their major roadblock was replacing the login window from NoMAD/NoMAD Login to XCreds with minimal disruption to staff and students. Typically, the replacement requires a logout of the user to take effect. To manage this, the tech department communicated to their staff several times to go to Jamf Self Service and run the policy voluntarily, which ran a script to remove NoMAD, installed XCreds, and performed a managed restart. They also asked that they do so by a specific day and time; otherwise, XCreds would deploy automatically. Once a staff member ran the NoMAD-to-XCreds policy, their login window was replaced by XCreds. The entire process took about two minutes for them to do. Most of the staff did this on their own with minimal disruption, and after the deadline, the technology services department automated the process to install XCreds on the few staff computers left along with their shared computer labs.
XCreds is deployed to all macOS devices through Jamf Pro during initial setup. A configuration profile is also deployed to manage settings on the Macs. They have a custom profile based on the use case, either a staff computer or a shared computer. For shared computers, like iMac labs at the high school, they used the custom login window to sign into their Microsoft 365 accounts, creating a local user on the Mac. For staff computers, which are 1-to-1 and encrypted with FileVault, they appreciated that FileVault passthrough is supported and XCreds helps staff keep their local computer password synced with their network password, and facilities password changes off-site without the password falling out of sync locally on their Mac.
Results & Feedback: The deployment of XCreds considerably lowered the Help Desk ticket request for login issues, like password sync. Also, because they leverage multi-factor authentication with their staff Microsoft accounts, it adds an additional level of security to access clients. Their favorite feature is the ability to sync passwords from Azure AD to local clients. In the future, they hope to see password expiration through the UI or some other form of notification. The technology services department has heard very little feedback, and they consider that a good thing! The transition was so minimal and non-invasive that the staff noticed little has changed at all. The most feedback has occurred when staff have needed to do a password change off-site and they were very thankful they could do so without having to subsequently get the help of a tech to fix their local password being out-of-sync with their Microsoft 365 account. This feedback had a frequent refrain of, “well that’s way easier than before!”