From 1e324639331c845b921716bf47283f262719e54a Mon Sep 17 00:00:00 2001 From: "Twocanoes Software, Inc" Date: Mon, 7 Aug 2023 16:50:17 -0500 Subject: [PATCH] XCreds 3.1 update (#624) * XCreds 3.1 update * Fix pfm_version --------- Co-authored-by: Dave Lebbing --- .../com.twocanoes.xcreds.plist | 382 ++++++++++++++---- 1 file changed, 310 insertions(+), 72 deletions(-) diff --git a/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist b/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist index 34f4c04ee..6ee35ca64 100644 --- a/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist +++ b/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist @@ -5,19 +5,19 @@ pfm_app_url https://github.com/twocanoes/xcreds pfm_description - XCreds OAuth Settings + XCreds 3.1 (5084) OAuth Settings pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_domain com.twocanoes.xcreds + pfm_format_version + 1 + pfm_last_modified + 2022-09-01T15:08:44Z pfm_platforms macOS - pfm_format_version - 1 - pfm_last_modified - 2023-02-27T13:50:21Z pfm_subkeys @@ -125,15 +125,25 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type string + + pfm_description + The desired AD domain + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + ADDomain + pfm_title + ADDomain + pfm_type + string + pfm_description The OIDC client id public identifier for the app. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#clientid + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name clientID - pfm_require - always pfm_title Client ID pfm_type @@ -143,7 +153,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Client Secret sometimes required by identity provider. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#clientsecret + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name clientSecret pfm_title @@ -157,7 +167,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description When set to true and the user account is created, the user will be a local admin. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#createadminuser + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name CreateAdminUser pfm_title @@ -165,17 +175,48 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type boolean + + pfm_description + List of groups that should have its members created as local administrators. Set as an Array of Strings of the group identifier. + pfm_name + CreateAdminIfGroupMember + pfm_subkeys + + + pfm_name + group + pfm_type + string + + + pfm_title + Create Admin If Group Member + pfm_type + array + + + pfm_default + + pfm_description + When set to true and the user locks the current session, XCreds will tell the system to switch to Login Window. The current session will stay active but the user will login with the XCreds Login Window to resume the session. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + shouldSwitchToLoginWindowWhenLocked + pfm_title + Should Switch To Login Window When Locked + pfm_type + boolean + pfm_default https://login.microsoftonline.com/common/.well-known/openid-configuration pfm_description - The discovery URL provided by your OIDC / Cloud provider. + The discovery URL provided by your OIDC / Cloud provider. For Google it is typically https://accounts.google.com/.well-known/openid-configuration and for Azure it is typically https://login.microsoftonline.com/common/.well-known/openid-configuration. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#discoveryurl + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name discoveryURL - pfm_require - always pfm_title Discovery URL pfm_type @@ -187,7 +228,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Enabled FDE enabled at first login on APFS disks. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#enablefde + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name EnableFDE pfm_title @@ -201,7 +242,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Save the Personal Recovery Key (PRK) to disk for the MDM Escrow Service to collect. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#enablefderecoverykey + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name EnableFDERecoveryKey pfm_title @@ -213,7 +254,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Specify a custom path for the recovery key. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#enablefderecoverykeypath + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name EnableFDERecoveryKeyPath pfm_title @@ -227,7 +268,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Rotate the Personal Recovery Key (PRK). pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#enablefderekey + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name EnableFDERekey pfm_title @@ -235,13 +276,41 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type boolean + + pfm_description + Login Window webview width (Integer). If this is not defined, it will be full width. Minimum value of 100. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + loginWindowWidth + pfm_range_min + 100 + pfm_title + Login Window Width + pfm_type + integer + + + pfm_description + Login Window webview height (Integer). If this is not defined, it will be full height. Minimum value of 100. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + loginWindowHeight + pfm_range_min + 100 + pfm_title + Login Window Height + pfm_type + integer + pfm_default file:///System/Library/Desktop Pictures/Monterey Graphic.heic pfm_description - URL to an image to show in the background while logging in. + URL to an image to show in the background while logging in. Default value: file:///System/Library/Desktop Pictures/Monterey Graphic.heic. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#loginwindowbackgroundimageurl + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_format (https?://|file:///).* pfm_name @@ -255,7 +324,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Add a menu item for changing the password that will open this URL when the menu item is selected. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#passwordchangeurl + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_format https?://.* pfm_name @@ -269,9 +338,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default xcreds://auth/ pfm_description - URI to redirect to when authentication is complete. + The URI passed back to the webview after successful authentication. Default value: xcreds://auth/ pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#redirecturi + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name redirectURI pfm_title @@ -283,29 +352,56 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default 3 pfm_description - Number of hours for checking for password changes. Default is 3 hours. Minimum is 1 hour. + The number of hours between checks. Default value: 3. Minimum value: 0. Max value: 168. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#refreshratehours + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name refreshRateHours - pfm_range_min - 1 pfm_range_max 168 + pfm_range_min + 0 pfm_title - Password Change Check Rate + Password Change Check Rate Hours pfm_type integer pfm_value_unit hours + + pfm_default + 0 + pfm_description + The number of minutes between checks. Default value: 0. Minimum value: 0. Max value: 59. This value is added to refreshRateHours. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + refreshRateMinutes + pfm_range_max + 59 + pfm_range_min + 0 + pfm_title + Password Change Check Rate Minutes + pfm_type + integer + pfm_value_unit + minutes + pfm_default profile openid offline_access pfm_description - OIDC Scopes + Scopes tell the identify provider what information to return. Note that the values are provided with a single space between them. + +Provide the following values the follow IdPs: + +Google: profile openid email +Azure: profile openid offline_access + +Note that Google does not support the offline_access scope so instead use the preference shouldSetGoogleAccessTypeToOffline. Azure provides unique_name which is mapped to the local user account by using the prefix before “@” in unique_name and matching to the short name of a user account. Google provides “email” and is matched in the same way. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#scopes + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name scopes pfm_note @@ -321,7 +417,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description When using Google IdP, a refresh token may need be requested in a non-standard way. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldsetgoogleaccesstypetooffline + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldSetGoogleAccessTypeToOffline pfm_title @@ -333,9 +429,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default pfm_description - Determine if the mac login window or the cloud login window is shown by default + Determine if the Mac login window or the cloud login window is shown by default. When not set or set to true, show cloud login. If false, shows Mac login. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowcloudloginbydefault + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowCloudLoginByDefault pfm_title @@ -343,13 +439,41 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type boolean + + pfm_default + 0 + pfm_description + Timer for automatically refreshing login screen in seconds. If set to 0, does not automatically refresh. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + autoRefreshLoginTimer + pfm_title + Automatically Refresh Login Window (seconds) + pfm_type + integer + + + pfm_default + Cloud Login + pfm_description + Text for return to cloud login on Mac login screen + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + cloudLoginText + pfm_title + Cloud Login Text + pfm_type + string + pfm_default pfm_description - Show the About Menu + Show the About Menu item menu. Default value: true pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowaboutmenu + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowAboutMenu pfm_title @@ -357,13 +481,27 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type boolean + + pfm_default + + pfm_description + Show text at the top of the prompt window when tokens expire. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + shouldShowRefreshBanner + pfm_title + Show Refresh Banner + pfm_type + boolean + pfm_default pfm_description Show Configure WiFi button in XCreds Login. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowconfigurewifibutton + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowConfigureWifiButton pfm_title @@ -375,9 +513,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default pfm_description - If no settings are specified, preferences will not be shown on startup. + Show Settings on start if none are defined. Default value: false pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowpreferencesonstart + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowPreferencesOnStart pfm_title @@ -391,7 +529,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Show the Mac Login Window button in XCreds Login. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowmacloginbutton + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowMacLoginButton pfm_title @@ -399,13 +537,51 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type boolean + + pfm_default + + pfm_description + Show the local only checkbox on the local login page + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + shouldShowLocalOnlyCheckbox + pfm_title + Show Local Only Checkbox + pfm_type + boolean + + + pfm_description + Placeholder text in local / AD login window for username + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + usernamePlaceholder + pfm_title + Username Placeholder Text + pfm_type + string + + + pfm_description + Placeholder text in local / AD login window for password + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + passwordPlaceholder + pfm_title + Password Placeholder Text + pfm_type + string + pfm_default pfm_description Show message in XCreds Login reminding people to buy support. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowsupportstatus + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowSupportStatus pfm_title @@ -417,9 +593,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default pfm_description - Show Quit Menu Item in the menu. + Show Quit in the menu item menu. Default value: true pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowquitmenu + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowQuitMenu pfm_title @@ -433,7 +609,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description Show the version number and build number in the lower left corner of XCreds Login. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#shouldshowversioninfo + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name shouldShowVersionInfo pfm_title @@ -445,9 +621,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default pfm_description - Show debug local notifications. + Show push notifications for authentication progress. Default value: false pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#showdebug + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name showDebug pfm_title @@ -459,7 +635,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description When a user uses cloud login, XCreds will try and figure out the local username based on the email or other data returned for the IdP. Use this value to force the local username for any cloud login. Provide only the shortname. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#username + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name username pfm_title @@ -467,13 +643,65 @@ A profile can consist of payloads with different version numbers. For example, c pfm_type string + + pfm_default + + pfm_description + Reset the keychain without prompting if the login password doesn't match the local password. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + KeychainReset + pfm_title + Keychain Reset + pfm_type + boolean + + + pfm_default + + pfm_description + Update the password silently to the new one. Used with the KeychainReset if the user has a secure token. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + PasswordOverwriteSilent + pfm_title + Overwrite Password Silently + pfm_type + boolean + + + pfm_description + Username of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + localAdminUserName + pfm_title + Local Admin User Name + pfm_type + string + + + pfm_description + Password of local admin user. DO NOT SET THIS IN PREFERENCES. It is recommended to set this with the settingsOverrideScriptPath script. This user is used to reset the keychain if the user forgets their local password and to setup a secure token for newly created users. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + localAdminPassword + pfm_title + Local Admin Password + pfm_type + string + pfm_default pfm_description - Show prompt to verify cloud password before setting keychain and login. + When cloud password is changed and the local keychain password and local user account needs to be changed, a verification dialog can be shown to verify the password. Default value: true pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#verifypassword + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name verifyPassword pfm_title @@ -483,13 +711,13 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description - hostname of the page that has the password field. + Hostname of the page that has the password field. When the user submits the form, XCreds will use idpHostName to identify a page it needs to look for the password field. The password value is identified by an HTML id defined by passwordElementID. If this value is not defined. XCreds will look for login.microsoftonline.com and accounts.google.com. This value is commonly set for other IdP’s and for Azure environments that use ADFS. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#idphostname + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name idpHostName pfm_title - IDP Host Name + idpHostName pfm_type string @@ -514,13 +742,17 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description - password element id of the html element that has the password. + Password element id of the html element that has the password. It is read by using JavaScript to get the value (for example, for Azure, the JavaScript document.getElementById('i0118').value is sent. If this default is not set, standard values for Azure and Google Cloud will be used. To find out this value, use a browser to inspect the source of the page that has the password on it. Find the id of the textfield that has the password. Fill in the password and then open the JavaScript console. Run: + +document.getElementById('passwordID').value + +changing “passwordID” to the correct element ID. If the value you typed into the textfield is returned, this is the correct ID. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#passwordelementid + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name passwordElementID pfm_title - Password Element ID + passwordElementID pfm_type string @@ -528,9 +760,9 @@ A profile can consist of payloads with different version numbers. For example, c pfm_default given_name pfm_description - Local DS to OIDC Mapping for First Name + Local DS to OIDC Mapping for First Name. Default value: “given_name”. map_firstname should be set to an OIDC claim for first name. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#map_firstname + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name map_firstname pfm_note @@ -539,16 +771,14 @@ A profile can consist of payloads with different version numbers. For example, c First Name OIDC Mapping pfm_type string - pfm_app_min - 2.1 pfm_default family_name pfm_description - Local DS to OIDC Mapping for Last Name + Local DS to OIDC Mapping for Last Name. Default value: “family_name”. map_lastname should be set to an OIDC claim for last name. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#map_lastname + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name map_lastname pfm_note @@ -557,16 +787,14 @@ A profile can consist of payloads with different version numbers. For example, c Last Name OIDC Mapping pfm_type string - pfm_app_min - 2.1 pfm_default name pfm_description - Local DS to OIDC Mapping for Name + Local DS to OIDC Mapping for Full Name. Default value: “name”. map_fullname should be set to an OIDC claim for full name. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#map_fullname + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name map_fullname pfm_note @@ -575,16 +803,14 @@ A profile can consist of payloads with different version numbers. For example, c Full Name OIDC Mapping pfm_type string - pfm_app_min - 2.1 pfm_default name pfm_description - Local DS to OIDC Mapping for Name + Local DS to OIDC Mapping for Name. Default value: “name”. map_username should be set to an OIDC claim for name. pfm_documentation_url - https://github.com/twocanoes/xcreds/wiki/AdminGuide#map_username + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences pfm_name map_username pfm_note @@ -593,8 +819,20 @@ A profile can consist of payloads with different version numbers. For example, c Username OIDC Mapping pfm_type string - pfm_app_min - 2.1 + + + pfm_default + name + pfm_description + Script to override defaults. Must return valid property list with specified defaults. Script must exist at path ,be owned by _securityagent and writable and executable only by _securityagent. + pfm_documentation_url + https://twocanoes.com/knowledge-base/xcreds-admin-guide/#preferences + pfm_name + settingsOverrideScriptPath + pfm_title + Override Script Path + pfm_type + string pfm_targets @@ -607,6 +845,6 @@ A profile can consist of payloads with different version numbers. For example, c pfm_unique pfm_version - 3 + 4