XCreds - Twocanoes Software
What is XCreds?
XCreds is the officially recommended and supported product to replace Active Directory Binding on macOS devices. XCreds integrates directly with Duke Shibboleth to authenticate and synchronize Duke NetID accounts and passwords at the login screen of macOS devices. You can read more about it at the official website: https://twocanoes.com/products/mac/xcreds/
How Does it Work?
XCreds consists of two components: An XCreds package that is available in Jamf Pro that does the actual heavy lifting on the systems and a config profile that can be pushed to systems from Jamf Pro. This profile tells the app what it needs to do and where it needs to go for the account and password verification. For XCreds to function, BOTH have to be installed on a system.
When both are installed, XCreds allows a Shibboleth login window to display as the login screen on a macOS device. A user can enter their NetID, password and multifactor response and this information will be used to create an otherwise ordinary local account on the system. The XCreds app then runs in the background and routinely checks against Shibboleth to see if there are any password changes. If there are, the user is prompted to synchronize their local account password with the new password found in XCreds.
Where can it be used?
The short answer is: everywhere. Duke has purchased a site license for this product. It can be deployed to any Duke University or Duke Health owned systems where just-in-time account creation and/or account password synchronization is needed (including staff/faculty systems). This product was originally vetted as a solution to public use shared systems (computer labs, kiosks, etc) where its impossible to provision individual accounts ahead of time and also not good security best practice to have a common login/password widely known to the user base.
Article number: KB0036363
Valid to: January 19, 2025