-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Ability to get XCreds state via CLI #162
Comments
I was thinking through potential states that I would like to know about. I'm sure that I'll come up with more as I roll out XCreds 😅 For context, my usage is syncing existing macOS account passwords with an IdP and not utilizing the login window/account creation features – I'm sure using the login window feature would generate other states that would be useful to know about.
A related, but not necessarily a "state", info item would be the connection method/IdP – i.e. Active Directory, Azure IdP, Google IdP, Okta IdP, etc. This would help anyone who is in-between/switching methods/IdP's poll what endpoints are using what system. |
Is this still wanted? waiting for more upvotes / feedback. |
I'd still love to have this feature. While I’ve already rolled out XCreds, I'd still like to be able to output its status via CLI. I could then write a MunkiReports module, for instance, to get a birds eye view of my fleet and proactively reach out to users to resolve XCreds issues we might catch. |
OK, i could implement it this way: Initializing: no xcred entries in the keychain means no syncing happened. Synchronized: I can only go by the last sync date. Not sure how I can tell if the current login password is the same as the IdP given that the IdP could have changed since the user last logged in. Perhaps not if they cancelled when prompted? Out of Sync: I can only go by the last sync date. Not sure how I can tell if the current login password is the same as the IdP given that the IdP could have changed since the user last logged in. Perhaps not if they cancelled when prompted? Error: Other? Another option is to provide a "last synced" date for the user account and leave it up to you to determine what that means. |
Sorry for the delayed response. First, I wouldn't hold back v5 for this. I'd rather see v5 released and collaborate on this than rush this out the door or hold v5 back for this. The goal with my XCreds CLI request is to know the state that XCreds is in. The thought spawned from looking at the XCreds menu app "Credentials Status: " and wondering if that data was exposed anywhere for me to run reports on. Reviewing your notes, it sounds like reporting the last successful sync status might be best and to nix the 'Synchronized' and 'Out of Sync' states I mentioned. Would there be a way to report if there were any sync errors? What about reporting the "Credentials Status" that I see in the menu bar? I quickly browsed through the XCreds code and saw a few enum's that might be interesting to check via CLI. I'm curious if it'd be possible or even make sense to securely expose them:
I'm greedily looking for any data that I can get my grubby little hands on to build out status dashboards or probe endpoints for issues without having to take over a user's computer. I appreciate you looking into this with me ✌️ -bryan |
I added a CLI interface to 5.2 (as of build 7289). I only have a few commands for status so far: Mac:~ tperfitt$ /Applications/XCreds.app/Contents/MacOS/XCreds -h USAGE: xcreds OPTIONS: SUBCOMMANDS: See 'xcreds help ' for detailed help. status shows: Password: You said you wanted "The goal with my XCreds CLI request is to know the state that XCreds is in". Do you mean of the current logged in user? So add a section with "current user", give the username, say what the token state is, etc? Also, you can get the output as JSON with the --json flag. tim |
Hey Tim, thanks for the update! Personally, I don't need the current logged in user, but I could see other people finding that useful. My orgs usage of XCreds is "make your macOS password your IdP password". I'm looking for information like:
A couple of extras that I think could be useful:
An example usage of this using MunkiReport widgets:
Click into any of those widgets to see the list of computers with the status, click on the computer to see the error details. This is the future state that I'd love to be in. Here's some rough example output I through together: Status: Healthy Status: Unhealthy Status: Unhealthy Status: Unhealthy Status: Unhealthy Status: Unhealthy |
|
@bryanheinz doesn't your output presume a single user using xcreds? i could add the user but that may be too much info. I can update a shared pref file for success and then parse that via the command line |
OK, implemented. Here is the output in both text and json: test:~ root# /Applications/XCreds.app/Contents/MacOS/XCreds status test:~ root# /Applications/XCreds.app/Contents/MacOS/XCreds status --json |
As I roll out XCreds it would be nice to be able to check on the state of the rollout programmatically by polling my endpoints.
A "simple" solution could be for XCreds to write it's state to disk when it does a password check. A more complex, but long term (in my opinion) more useful solution could be an XCreds CLI tool that has a flag for getting the current state.
The text was updated successfully, but these errors were encountered: