Episode 278: XCreds with Tim Perfitt

Tim Perfitt rejoins the Pod to talk about a new project for macOS devices: XCreds! If you’ve ever dealt with labs, this episode is for you.


  • Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
  • Charles Edge, CTO, Bootstrappers.mn – @cedge318
  • Joel Rennich, Head of Device Identity, Jumpcloud – @mactroll


Transcription of this episode brought to you by Meter.com

Click here to read the transcript

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

  • Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
  • Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
  • Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.

James Smith (00:00:00):

This week’s episode of the Mac Admins Podcast is brought to you by Kandji automation in IT is a hot topic. And for good reason, automating repetitive tasks, frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the apple device management and security platform features over 150 pre-built automations to multiply your effectiveness and impact daily, to see how to take the repetition out of your to-do list. Visit Kandji.io that’s k-a-n-d-j-i-dot-i-o.

Tom Bridge (00:00:46):

Hello, and welcome to the Mac Admins Podcast. I’m here host Tom bridge and Charles it’s so great to see you.

Charles Edge (00:00:52):

Good to see you too, Tom. It’s been it’s been two weeks it’s

Tom Bridge (00:00:56):

It has been two weeks, but you’ve had a monumentous life event in the meeting.

Charles Edge (00:01:01):

Yeah, yeah, I guess so. So we welcomed a new child into the home. Yay. So we had to go to the hospital for labor and all those really fun things. So, sorry I missed last Sunday, if I’d have done this instead of that, I probably

Tom Bridge (00:01:19):

You’d be in a lot of trouble.

Joel Rennich (00:01:20):

<Laugh> yeah, probably.

Charles Edge (00:01:23):


Tom Bridge (00:01:25):

And welcome.

Joel Rennich (00:01:26):

We’ll just let that stay <laugh> yeah, I

Tom Bridge (00:01:27):

Was gonna say, we’ll just let that stay. So we’re really excited for you. Congratulations. the Macin bins foundation sent you a couple of onesies that I hope you delivered before you long which is super exciting and never

Charles Edge (00:01:40):

Have enough of those

Tom Bridge (00:01:41):

You never, ever can. So that is wonderful stuff. So we’ve got a guest cohost this week, as Marcus is off taking his jam three 70 by the time you have, you will hear this, he will either have passed or have extra passed, cuz that’s the only options for Marcus I’m sure. But welcome back to the Macin men’s podcast and for the first time in the cohost chair, Joel Renick,

Joel Rennich (00:02:04):

Thank you very much. I’m excited. I get to talk at this part of the pod, whereas previously the guests, right. Have to stay quiet during this section.

Tom Bridge (00:02:14):


Joel Rennich (00:02:14):

So I’m

Tim Perfitt (00:02:15):

Excited. Is that true, Joel? Is that really true?

Joel Rennich (00:02:17):

No, no. You’ve broken the third wall of radio.

Tim Perfitt (00:02:23):

I’d have to go back and see if you actually followed that role. I bet you didn’t.

Joel Rennich (00:02:28):

I think I did cuz I was still probably trying to figure out how to record things

Tim Perfitt (00:02:32):

<Laugh> yeah.

Joel Rennich (00:02:33):

So well, excited to be here. Thanks.

Tom Bridge (00:02:36):

You’re welcome. And of course that means you’ve also introduced our wonderful guest Tim. Perfect. Welcome back to the podcast from two canoes and we’re excited to be talking a little bit about a new project that you’re working on for Mac OS devices called X credits. If you’ve ever dealt with lab authentication, this episode is absolutely for you. Especially if you have a cloud IP, IDP hanging out out there, there. So with all of that, you know, Tim, welcome back. It’s been a little bit since you were on last what’s the latest word?

Tim Perfitt (00:03:08):

Well, thanks very much for having me on the podcast. I appreciate it. I love, I love to, to join and talk about what I’ve been working on. So the big thing is X creds. So we and we’re, I we’ll talk a little bit about how the project came to be, but it really it’s, it’s a, a way to be able to authenticate to your ID identity provider, your IDP and have your local password be synced with that that password. So imagine that you’re logging into Azure and you wanna make sure your password, your local passwords, the same as your share passwords, otherwise help desk tickets go up. And so we’re just getting ready to release version 2.0, which includes login window support, which means now when you log in at the login window you it, you log in with your cloud password and that would automatically set your local password and your key chain password and get you those tokens that are so wonderful that allows you to authenticate to any of the websites that you go to or any other other services. So X credits basically, it’s, it’s a lot of, it’s fun to have Joel here, right? Because most of it came from the whole, it’s not just the motivation from nomad and nomad login, but literally his open source projects were, were basically taken and used because of his liberal license. Right. And

Joel Rennich (00:04:27):

So in the best spirit of open source there’s yeah, exactly how it was supposed to be used. So I, I am very excited to see this and, and what you’ve done with it and where it may go. I think there’s a lot of possibility in this space.

Tim Perfitt (00:04:41):

There was one other project. Joel did the, it’s an O I D C open source project. That’s not part of nomad or nomad login. So it’s basically taking three things that Joel did and mixing together in a slightly different way, putting ’em in the oven at three 50 for one hour and then taking them out

Charles Edge (00:04:59):

<Laugh>. So I used the O I D C code and the the iOS app that I did for rest end points. So that’s, if you hit the Oop that’s Joel’s code <laugh> woo.

Tim Perfitt (00:05:14):

He gets a crypto, he gets a Bitcoin every time you use it.

Joel Rennich (00:05:19):

Sure. That’d be fantastic.

Charles Edge (00:05:21):

It would’ve been better six months ago by now. Oh yeah. It’s gonna quibble <laugh> <laugh>

Joel Rennich (00:05:27):

It’ll be back there. Come on. It’s going to a hundred

Charles Edge (00:05:30):

It’s <laugh> I, I believe that as well, something, and then it’ll crash back down to 20, but that’s that’s aside from the point. So I, I guess, you know, when we say, quote, unquote, cloud identity provider, does this work through oof then? Because I’m not sure how it gets a password from oof. Back down to the client. That to me is a very interesting transaction,

Tim Perfitt (00:05:56):

Right? So there’s there’s ways to do it with the native API through O I D C and there’s and getting the actual raw password is kind of the trick and all this. And so what, what we do, which is what on nomad login did, which is at the login window. Well, in the user space, we prompt the user. If we don’t, we don’t know what we, we throw up a web view and we say log to that. At the login window, we’ve replaced the login window with a, a security agent. And it started out just to be one security agent, but it became pretty clear that everything’s tied in together. So turns out if you authenticate, you also need to have a key chain. You also need to have a home directory. You also need to have, you know, different policies. So we, we basically have a web.

Tim Perfitt (00:06:37):

The web view is shows the login from your cloud provider, like a Azure or Okta or whoever. And then basically in that HTML elements, it’s passed over to swift and says, Hey, I’m, I’m submitting this form. Do you wanna do anything or grab anything? And so we grab some information from that form and be able to use that, to set the key chain password and verify the users if it’s, if the password’s changed, update the local password, if it has. So it’s it, that’s how we get that local, that the password originally,

Charles Edge (00:07:10):

It’s not like an embedded web often view because you don’t have the password exposed in those, right.

Tim Perfitt (00:07:16):

That’s correct. That’s correct. I think there’s other ways to do it, but this is the only cross platform or cross way to do this with be able to get that. Cause it doesn’t, there’s no, I mean, you do a native UI perhaps, and we’ll get into that platform identity that we’re talking about apple. And I think that that’s one of the ways you have to do it, if you don’t wanna grab it from the two Mel.

Charles Edge (00:07:37):

Yeah. So it’s like a white hat version, the hetro blogger

Joel Rennich (00:07:41):

<Laugh> with great power,

Charles Edge (00:07:44):

Typical Joel <laugh>.

Tim Perfitt (00:07:48):


Tom Bridge (00:07:48):

You know, I, I think that the, the it’s really, that gives us a really good understanding of where X creds of what X creds does. So I guess my second question is why’d you build it what’s what was your motivating factor as you were starting to look at? You know, I identity in the macro S side,

Tim Perfitt (00:08:05):

Well, I like to go through Joel’s code and complain about it. So it was my

Tom Bridge (00:08:09):

Question <laugh>

Joel Rennich (00:08:11):

And, and he is not talked to me since, so you must not have found anything. It was fantastic,

Tim Perfitt (00:08:16):

But, and just full disclosure. I, my background is definitely C and objective C and Joels have a lot more experience in swift. So a lot of my swift is from looking at his code and before I would just use his code and then port it over the stuff I need objective C, but this is kind of the first project that I’ve done is kind keeping it all the objectives or the, all the swift Joel will has noticed that I did add in some classes that I wanna rewrite. Joel has this philosophy that if it’s not in swift, it’s bad, so he’ll rewrite stuff, which

Charles Edge (00:08:47):

I know I’m a Jo on that one. <Laugh> no offense.

Joel Rennich (00:08:52):

Well, and there is, I mean, there is just a basic layer when dealing with the login window that you have to have objective C entry points. So you can’t, you can’t do it entirely in, in swift, whether you’d want to or not. Although one thing I might plan to mess around and I think you’ve gotten this far Tim is, is using swift UI at the login window is you should be able to use swift UI inside a presentation controller to then be presented by the objective sea, which could be a lot of fun just to see if that rub Goldberg machine works. <Laugh> 

Tim Perfitt (00:09:27):

So, so talked about the fun, the motivation of the project, the, the, the piece that are out there. I mean, I’ve been working with Joel a lot, just kind of around identity and, and crypto token kit mainly, but the, I was approached by North Carolina state university that said they wanted to fund a project and open source our project and then open source it. And it would be something that would do exactly what we’re talking about, which is basically keep your password in sync and university environments since they wanted something that’s low you know, lightweight, open source. And it’s also where they can support the community. And so I, I pitched them the idea of, instead of me writing it, they wanna just pay me hourly and giving it over to them. And then they open source it, cuz then they’d have to upkeep it.

Tim Perfitt (00:10:12):

And I’m the one that wrote the code or took Joel’s code and poured it over. I would have to kind of upkeep it. So I pitched him the idea of just allowing basically funding the project and then and then having us release it from two canoes and then providing support and slack channel and all that kind of stuff. And it’s worked out, it’s worked out really well. It, it was fun to negotiate the contract because they originally did it from like quick contract programming. It was one of those, like you write it, we own everything. And I’m like, well, you don’t really own everything. We’re open source it. So it turned out to be a commission. So it’s like, I was a piece of art was commissioned and this art was swift code.

Charles Edge (00:10:51):

I mean, I, some swift is certainly art

Tim Perfitt (00:10:54):


Charles Edge (00:10:55):

Especially with swift UI, you can get super artsy.

Tom Bridge (00:10:59):

I was gonna say friends of the podcast, Eric Gomez, and Bart rein are smiling right now. And they don’t even know why. Because I was gonna say it’s definitely art, right. I mean, I feel like that’s, that’s very true. So I guess my question is how did it come to pass that, you know, and that NC state university and go Wolf pack, right? Like, I mean, that is, you know, they they’re their, their mascot there unless they’re by in Georgia. Yep. Yes. <Laugh> how did that come to pass? How did they find you? How did you find them? What was the, what was the process for all

Tim Perfitt (00:11:32):

Of this? Well, no, it was just being part of the community and known seeing, and the folks there. The it was just kind of, I mean, the Mac community is kind of small and it’s known for other projects that I’ve been working on and it’s one of those things that it just, they had some, I think of was any of the money end of your money or just some of some a need that they’d be able to do it. And they wanted to do it for other schools. And that’s kinda what we’re seeing. There’s a lot of schools that are very interested in to be able to do it. But I did wanna point out that it’s the things that we’re just adding to the login window is that you can go all the way we added in be able to creating the home directory.

Tim Perfitt (00:12:11):

And one of the things that we’ve been testing is if you have a brand new machine out of the box, you can take it and just log in with you, set it up through DEP or whatever it’s called now. And then it installs the software, puts the configurations down to, to set up the settings and then you can log in from that initial login from your identity provider. So if you’re Azure, you sign in with your Microsoft password, it’ll create the home directory, create your key chain, create the create everything that you need and log you in and then prompt you if you were to change the password outside of the, the user session. So it was the, the whole thing was kind of the brainchild of Everett Allen at North Carolina state. So he’s the one that really pushed the, was his kinda idea to be able to have this, to put it back in the community. So I was very excited that he kind recognized that need mm-hmm <affirmative>

Joel Rennich (00:13:05):

And, and is fantastic that so much of the stuff from kind nomad and then later on, I mean, all that code still works <affirmative> which is kind of the crazy, I don’t know if that’s good or bad that directory services pieces on the Mac are almost identical to where they were few years ago. <Laugh> well

Charles Edge (00:13:24):

The local directory services.

Joel Rennich (00:13:26):

Yeah, absolutely. And I mean, even the network hasn’t changed that much. Right. If anything, things are going away rather than getting put in. But, but yeah, I mean, right. Cuz we used to joke when it was in the nomad days, we, we said that, you know, the login window was the most stable API that apple had ever made cuz it hadn’t changed since 10, three <laugh> and I think that’s still the case <laugh>

Tim Perfitt (00:13:51):

Well, there’s certain ones that are deprecated that they’ve been deprecated for like 13 years. And so you’re like, oh it probably won’t go away this year.

Joel Rennich (00:13:59):

<Laugh> <laugh>

Charles Edge (00:14:04):

Like show passwords.

Tim Perfitt (00:14:06):

Yeah. Yeah. Like setting that there’s, it’s really all the key chain stuff you work with that like to set the key chain password. It’s not just, it says like this API’s deprecated, it, it says management of the key chain is deprecated. And so it’s like, oh, okay. But if you change those, you’re gonna end up breaking a whole bunch of other stuff. So I don’t know apples does that where they, they don’t want you to do that, but the don’t even think to replace it with yet. And so it just kind of sits there for a while.

Charles Edge (00:14:32):

So with key chain, are you shelling it out with the security command? Are you actually interacting with an API?

Tim Perfitt (00:14:39):

All the above, all the above and mostly

Joel Rennich (00:14:41):

You never shell out of the security command. I’ve looked at the code <laugh>

Tim Perfitt (00:14:45):

Yeah. Well it’s, it’s mostly the key. It’s mostly, there are certain things that you have to shell out mainly for doing some operations creating, I don’t know, whatever I can’t remember specifically, but all the, all the password stuff is through the, the key chain APIs.

Tom Bridge (00:15:00):

Well, a lot of the vol controls and things along those lines in terms of granting secure token and new users is obviously all done with SIS admin CTL and a bunch of other right. Things along

Tim Perfitt (00:15:11):

Those lines. Yeah. That’s the one, that’s the one that you do at the shell out.

Joel Rennich (00:15:14):

Yeah. Cause there’s just no API for that. Right. which is, which is kind of unfortunate. And, and I get some of that is, you know, apple wanting to maintain security around those things. But I, I, I think maybe there’s a, there’s probably a path where you could do both have an API to, you know, use it a users and things you’d still have to put in your, you know, the existing username and password. So I don’t think you could have to compromise on security. But it would give you a little bit more flexibility. The difference there probably in, in, you know, Tim, you’re now one of a few people that have really messed around at the login window, although this isn’t your first rodeo with the login window, you’ve been doing login window things for quite some time. Right.

Tim Perfitt (00:15:55):

So we did boot runner which put this overlay on, it allows you to do dual boot on top of it. And I actually grabbed that overlay and added it because one of things that I wanted to add was, so there’s this question of how do you do offline access? So if you’re you put this web view up and you have to authenticate to Azure, whatever, what happens when you’re getting on an airplane or what happens when you’re not on a network mm-hmm <affirmative>. Yep. And so what we end up doing is putting a button at the bottom, which is Mac login window. And so it’s basically this catchall. So you click on that and it, it re it re jiggers around all the security agents and authorization DB restarts it. And then you’re back in the Mac logging window, but then I’m like, well, how do you get back then? Because then you gotta log in and then log out and then you’re back. So that’s, so I, I put an overlay on top of that, where it’s back to cloud login. So you can switch back and forth between this, which is kind of neat, which is, seems like a, this

Joel Rennich (00:16:47):

Is the beautiful part about open source because I’ve already taken that part of your code and implemented it in another project. Which is fantastic. <Laugh> so the the virtuous cycle is continuing it’s. It’s great.

Tom Bridge (00:17:03):

So how has the project been received so far? You know, what’s the, what’s the public reception in your eyes?

Tim Perfitt (00:17:09):

So we’ve got a couple hundred people on slack that does it, that have looked at it and people are just, it’s funny. Some people just deploy stuff, right. They’ll take it and they’ll start deploying it. And so we’ve, we’ve had, it’s been really positive. People are excited to see that this is like an open source project to be able to, you know, something they could just go and grab and do it, but it’s still, I mean, like we’re just getting ready to release 2.0, the first 1.0 was just detecting if your password’s changed out of band, if you’re local user and I’m I was talking with Joel about, you know, oh, I’m just gonna do the username password at the logging window. I don’t need to do key chain. I need to create home chain home, direct creation, all that stuff.

Tim Perfitt (00:17:51):

But it’s so intertwined like that it experience is so intertwined that it’s, it had to be edit in. And so we ended up, you know, I kind of got pulled into that rabbit hole by the time I came out, it basically I poured it over all the mechanisms from nomad login, except there was like a login one. And then there was one other one, oh, it even gets crazier. Right. Cuz people are asking about Eros. They want the nomad login functionality in X creds. So like this code that I didn’t port over, they want me to port over. And then like, the question is, what do you do with that? Like do you do it also, or instead of, is it like a dual mode or you choose Corro or something like that? Well,

Joel Rennich (00:18:30):

I think you’d, I think you’d do a dual mode. I don’t even know that that’s a question. Right? Cause if you are using just ad, you could still use nomad login because I think at least from what I can tell everything works there pretty well. On, on latest and greatest, and I haven’t checked on ACE Ventura, but I’m, I’m thinking it, it works well. But you would want both. And I think that’s maybe an interesting, especially for some of these education environments that you’re looking at, where you would still require authentication to whatever cloud identity provider they have. And then since you already know that username and password you can just pass it into the nomad framework and get Eros tickets.

Charles Edge (00:19:13):

And that’s, what’s, you’re just from there, you’re passing it to can or something.

Joel Rennich (00:19:18):

Well, if you use <laugh> this wasn’t designed to turn into hackathon, but since we’re here, all right, so you can grab the nomad login ad framework, which is all written in swift. That should be a swift package. I didn’t get to finish that before I left champ. Since it’s got some objective seeing it, but you can yell at Josh about that. And then that would allow you to establish all of the active directory bits and should be able to get you boroughs tickets. You could have it as the last thing that you do as part of the login stack. And then I think it’d be, I mean, cuz if you’re in an Azure environment, you probably do have ad somewhere. So you do have curb tickets that are still being used for, you know, God knows printers or SMB shares or something like that. Right. but you have trying to move all the way to Azure cuz that’s the future and you want to go that direction. And so putting these two things together could be interesting. I don’t know how many people, but to the people that it is interesting, they’d be very interested.

Tim Perfitt (00:20:18):

Well, I mean you could have it both ways. Like if you put, what do you hinge login on? You can either have you have to have an, your password’s gonna be the same in both environments or you put your cloud password in and then get a hero ticket as a side effect or vice versa. You get tokens based on,

Joel Rennich (00:20:32):

Well, in, in most cases, Azure will be synchronized to ad in that case, if they still have ad there, whether they’re using Okta or Azure or something else is their identity provider they’re most likely have some form of synchronization. Your biggest point of, of complexity is that ad may be tinged off of an NT name.

Tom Bridge (00:20:53):

This week’s episode of the maced bins podcast is brought to you by black glove. Black glove is about to be your new favorite it partner. They provide ongoing expert support and rapid deployment services for your current new or refreshed apple fleets. But what they’re really providing is complete peace of mind that your technology is safe, secure, and operating at its full potential. So no more quick and expensive calls to the geek squad or apple support, black gloves, strategies and fixes are from the hands and minds of former apple engineers. So not only is the expertise of this team unmatched, but their services are affordable and easy to get started too. Fortune 500 companies and small budding businesses alike are working with black glove to ensure their to apple technology is doing exactly what they need it to, whether it’s helping manage your remote teams, devices transitioning your device management system, onboarding new employees or casing tagging and tracking your devices.

Tom Bridge (00:21:48):

Black glove can handle it all. They’re also just really great people to work with. In fact, mention this podcast when you reach out to them and the black glove team will sponsor the next generation of maced mins through our maced mins foundation, you can learn more and get started@blackglove.com. That’s B L a C K G O v.com. And while you’re at it, ask them why they’re called black glove. It’s a clever nod to how white glove services just don’t cut it for it. So as you think about, you know, kind of the current state of identity, you know, which is messy and variable, right? Like, I mean, this is very clearly clearly written against Azure. And you know, we start to think about like, well, who are the other IDPs that are out there? You’ve got Okta that are out there, you out there, you’ve got Google identity. You know, what are your thoughts there in terms of like, what, where are you focused in terms of what XCR X creds can do?

Tim Perfitt (00:22:41):

So the two big ones are Azure and Google. And so the, those, it works fine with both of those. There is a couple of like kind of IDP specific things that we had to add to add in for Google, at least one for Google, cuz you don’t get, oh, the offline, the offline token is not, it doesn’t use its standard. Oh, I do see with three,

Charles Edge (00:23:04):

They don’t support a flow to push the password into clear anyways.

Tom Bridge (00:23:08):

Yeah. There’s there’s, there’s no RPG at all on, on Google,

Tim Perfitt (00:23:11):

Right. That’s why we got the password from the login window. So we have to worry about that. But so, and we’ve have other folks that get in the slack that have tried it in other IDPs and it’s really, and, and we also added in to the preferences, the Billy to say, well, in the HTML, this is where you grab the password out of and everything else should be relatively straightforward. So that’s really the only IDP specific thing. There might be a couple of specific tweaks we need to do, but it really has come down to it’s a juror and a Google are the two big ones. At least in the education space that people are looking at it, it right now mm-hmm <affirmative>

Joel Rennich (00:23:47):

But you should be able to work with anything that does an open ID connect flow, correct?

Tim Perfitt (00:23:52):

Yep. Yeah, it does folks have tried it out and it works. And one of the nice things about the login window is it if it doesn’t work, it just denies it and flicks back to the normal one. So it’s, it’s relatively easy one. Oh, and the other thing too, I love that button to go to the regular Mac login window is it’s hard to lock yourself out. <Laugh> cause if you, especially, if you like wanna log in as a local admin, how did you actually do that? Joel with nomad login was there? Oh no, you had the log. Could you do local admins too?

Joel Rennich (00:24:20):

So with nomad login, it was easier cuz we just had a username password field. So if,

Tim Perfitt (00:24:26):

Oh you just put past that to local

Joel Rennich (00:24:28):

Directory, right. So we would, I’d have to look at, at the code cause it’s been more than a while. We would first authenticate against ad and if that failed, we had kind of a flow chart of things that would happen. And we’d look to see if you’re a local account first and if you were a local account and we could authenticate you that way, then you were good. 

Charles Edge (00:24:49):

Kinda like the weird multi domain and a forest flow of DS config ad

Joel Rennich (00:24:54):

A absolutely right. Where behavior was maybe undefined in some ways if you had multiple username or the same username and multiple domains, it would maybe take the first responder who knows alphabetical <laugh> and you know, so in the case of what you’re doing here, Tim, since you’ve, you’ve got that webpage first, the flows were a little different, but you could certainly do, you know, some of those things I think you’ve got a lot of opportunity there to, to really advance kind of some of the workflows and other things that people were looking for.

Tim Perfitt (00:25:29):

Yeah. But I did, I did work pretty much all my testing and coding was done on Ventura. So to make sure that things are didn’t break. So everything, it seems to be things pretty seem pretty stable all the way back. So if it works on Ventura, it seems to be pretty working pretty fine all the way to earlier ones though. I don’t know. It’s not limited to what earlier ones you could run on, but there shouldn’t be really any, you could go back to as far as 10, 12 or 10 13. I bet.

Charles Edge (00:25:53):

So you’re selling support contracts for this too. Right?

Tim Perfitt (00:25:57):

Right. We haven’t really leaned into that yet, but it’s the same models we talked about before what we did with MDs. And being able to being able to just sell the support based on well, we haven’t really got the model yet. So that’s one of the interesting that be talking about different models. One with MDs was basically, it was either five grand for or $500 for small organizations or 3000 for large, which was an interesting like way to do it. But then we got the definitions of what’s large and what’s small kind of thing. And it gets in like some interesting questions. Cuz $3,000 is a lot of money, but if it’s somebody like Facebook or Google and they want to do it, then it’s obviously not very much money. So it’s like, so we did a model where it was based on the number of units or number of Macs that you’re managing, but then iRead this other idea that I might wanna put out there, which is the ability to hold the, we if you donate to the project at those two levels, $500 or 3000 putting in size, you get access to the release bill.

Tim Perfitt (00:26:59):

And then once you’ve hit a goal, like we set a goal like 10 grand or 30 grand or whatever, then we release it to the public,

Charles Edge (00:27:06):

Almost like a Kickstarter

Tim Perfitt (00:27:08):

Kickstarter or a hostage wear, either one works, you know, just

Tom Bridge (00:27:11):


Tim Perfitt (00:27:15):

But what do you guys think about that? I mean, just like an idea of that. Well, one of the ideas that we, I was talking Everett about we just do like a kick star. Like we have these features. Yeah. Once we get the hit this number, we will go ahead and, and code that up. But I don’t work that way.

Tom Bridge (00:27:30):

It feels like bounty, right? Like this feels like a bounty, you know, if you want to participate and get this feature added to the product, well guess what vote with your wallet?

Charles Edge (00:27:40):

Or like a darker prize <laugh> yeah,

Tom Bridge (00:27:43):

Yeah. That too.

Tim Perfitt (00:27:44):

But I can’t do that. See, my promise is I can’t do that. And Joel can’t do that either. Right. It’s like, it’s like, oh, fun thing to play with. Must go. So if we write it down, like this would be a great feature. I’ll go ahead and implement that right now. Like no you’re supposed to wait for the boun team. Like, well I just finished it now, what do I do? Hide it. <Laugh> so it’s, this’s one of those things like it’s, I’m gonna, I’m gonna merge this in only if you pay the bounty. So it’s not really a bounty it’s, it’s, it’s basically hostage taking or 

Charles Edge (00:28:11):

Meanwhile it’s off often some fork and if you don’t do it immediately and it gets off, off kilter from the main

Tom Bridge (00:28:17):

Yeah. Dependency hell,

Charles Edge (00:28:19):


Tim Perfitt (00:28:20):


Joel Rennich (00:28:20):

Well and that’s, and, and the other thing, and, and maybe you’re the same way Tim, but I ran into this doing a nomad look and is it wasn’t a product? I used myself on a daily basis. I didn’t have ad, we were a smaller shop of just a couple of people. I had written it, you know, before we started orchard and Grove. But even then we didn’t use it at true source. So it, it was always kind of weird to be putting in these features like you’re talking about that were cool to code, but didn’t maybe necessarily make a big deal in your day to day. And, and I’m, I’m assuming you’re the same with two canoes. Is that correct?

Tim Perfitt (00:28:57):

That is correct. Though I have threatened, we did move over to like Zen desk and some of the other services we use Okta to log in and we actually enabled C login and we have a whole line of smart cards too. And I’ve threatened the staff with having to use smart cards to log in, to do their jobs. But I don’t think I wanna take that hit on productivity.

Charles Edge (00:29:15):

You Don personally want that either. Probably <laugh>

Joel Rennich (00:29:19):

Well you want your staff to stay around.

Tim Perfitt (00:29:21):


Joel Rennich (00:29:22):


Tim Perfitt (00:29:23):

Yeah. No matter how great you can make smart cards. It’s still, it’s still, I, I gotta say that this multifactor is the same way. Like somebody comes in and like, oh, look at this ticket. You’re like, oh, okay. I got the password like, oh, I got my phone. Okay. My phone’s not where’s my phone. Go get it. And I’m waiting to put it in. I waited for, there was one where I went back and forth was only email and it took like 15 minutes to get the email, but expired after 10 minutes, I thought I was gonna call somebody. Yeah. It was like, what are you, what are you doing to me here?

Tom Bridge (00:29:49):

Yeah. Gray listing comes for you every time. And you know, it’s just, Ugh, that’s just murder. But you know, I mean, in addition to, you know, dollars, you know, every open source project needs hands are there, you know, are things that you’re looking to add to the project that you might need a hand with or documentation or anything along those lines that folks can help with from the community?

Tim Perfitt (00:30:14):

So my, my projects have been relatively small and I don’t know if it’s an artifact to the Mac projects or if it’s just the way that smaller projects are, but it’s really, I mainly do the coding. I occasionally get a piece of code that somebody read, rarely do I get a poll request. And and a lot, most of it, the big thing that I really enjoy working software with open source software is the slack channel where I can iterate very quickly and put bills out. People can steal it and then being able to have people put it out there to harvest it for other things like Joel was talking about where he took it and did some stuff, but I’ve not really had a lot of success in having multiple coders on the same projects. Like if it falls off, then somebody else can pick it up. But in terms of like an active commits with multiple developers, none of my projects have really been like that. Mm-Hmm <affirmative> I love it. I mean, that’d be great, but it’s just not really worked out that way.

Tom Bridge (00:31:06):

Fair enough.

Tim Perfitt (00:31:07):

If anybody out there wants to, wants to any pull requests or wants access to the repository, let me know.

Tom Bridge (00:31:14):

Mm-Hmm <affirmative> so this question is kind of loaded. But I think it’s a big topic for, you know, people to understand. So, you know, and, and I’m gonna just come out and ask it and you’re gonna laugh at me and that’s okay. Which is, what have you learned so far about login windows and authentication mechanism? Cause it’s not like I’m asking a very narrow question here.

Tim Perfitt (00:31:38):

What have I learned about them? That the login window is very complex multi-layered and it’s I think it’s the way that the authorization DB works, I guess I’ve appreciate that a bit more though. I never really did in the past, just because it, you could really break things if you wanted to, but

Tom Bridge (00:32:01):

You didn’t want

Tim Perfitt (00:32:01):

To, right. <Laugh> so you be careful, especially it was a flat file. Now you have ones to do it and, and you gotta be more careful now, especially on a personal machine, on a corporate machine, you can easily blow it away. And it’s pretty crazy to get back. But the, the login in window with the security agents, they have ones that run privilege. They run as route and you’re not allowed to show UI, but then there’s one that runs as non-privileged and you’re allowed to show UI and you pass, you run them in sequence. And so when you see the login window, you, you have a UI. When you put stuff in, you won’t be able to do anything that using password as route goes to the next mechanism, which is able to do something. And so you, when you look and do the, you know, say, what is it, security, authorization, DB show, whatever, or read the the right.

Tim Perfitt (00:32:49):

You’ll see, like all of these stacked down there. And the reason is it has to flip as it goes through. So like, oh, I want to create the home directory as the user. So I have to, you know, tone it. So I have to be root. Right. So you have to go back and flip over that mode, but I can’t show any progress. So I’ll wait for the next mechanism to show the air message. So that’s one of the kind of things that I learned is that this like security it’s like, it’s like security mode or security bit mode flipping, right? It’s like, okay, I’m non secure. It’s like, oh, you certain things can’t show in a UI. It goes back and forth. So it’s, it’s neat the way that apple had stacked it that way. But it also means that you gotta think about the state that you pass along.

Tom Bridge (00:33:29):

Yeah. You get into the whole Paso Dole of the, you know, moving back and forth between, you know, those different pieces.

Tim Perfitt (00:33:39):

Yeah. And also there’s other stuff that a, that Mac macwas does in between. So you do your thing and then you do, you know, some UI, some stuff is root and then some other things flow through. And then at the end you still get your information back and somebody else might have done something with it. Or mawes may have done something with it on the road to you, or may have, have invalidated and said, no, you can’t lock in. So it’s, it’s a different way of coding. Right? You kind of, it all goes back to one binary that gets called, but different entry points. And, but you gotta think of it in terms of these modules that are stacked on top of each other. So I kinda, I visualize it as separate little apps, but it’s not, it’s like just different entry points into it.

Tim Perfitt (00:34:17):

So it’s I tend to go looking for, like, if I step away from the code and come back, I’m like, wow, how, how does this, how does this, where’s the entry point? Oh, and you can’t, oh, this is, this is one of the beautiful things that I, when I was coding, I don’t know, Joel, if this is what you did, but I, you can’t really run it. Right. Because you gotta log out. You’re an X code. You can’t really attach debugger though. I think Quinn Eskimo posted something about using a remote SSH logger. That was just horrible. You did, but no, yeah. <Laugh> so I, this, I had this laptop and what I would do is I set up an SSH key as route, and I would have a script that would build it. Cuz if you built it, this is another great thing.

Tim Perfitt (00:34:55):

If you built it next code and brought the grinding over was going over to an arm machine. So it wouldn’t work. Cuz we build an Xcode. It’s only in the, the, the tunnel architecture. Yeah. The car architecture. But when you do it breaks other things, it was horrible. It was horrible. So I just didn’t wanna do an archive build, but then it was, makes it really complicated. So if this script that doesn’t archive build SSH is over deletes the old stuff and then kills the login window onto this other machine. And so it takes about a minute to do it. So I’m ready to like code away, but then you can’t put a break point or anything like that. You have to look at log. So we have this great logging system that does it. And I have another window open, which is SSHD into that and running that log. So I run this one command and like I just sit back and wait and I’ll see the login window flash. And then my log will start doing it. And I’m like, oh yeah, that’s great. That’s

Tom Bridge (00:35:45):

How we had to

Charles Edge (00:35:46):

Grab screenshots for books at the login window as well. Yeah, yeah,

Tim Perfitt (00:35:51):

Yeah. But it was like when to iterate on it was this pain cuz you, if you code too much stuff, you know, there’s so much interdependency on stuff. But it allowed me to, I don’t know that was with the login window. It’s like, since it’s a core keep component, you can’t really have a debugger attached to it. Or you can’t really have a session going at the login window when you’re logging in. Right. And fast are switching might have worked somewhat, but it would be horrible too.

Joel Rennich (00:36:17):

Yeah, we had at, at jam we, some of the devs put together really nice little kind of bootstrap to show some of the UI and things as we were working on these Macs. But when you’re running, ’em in user space, it was such a different world that none of the logic, none of the context was there. So while you could Mo the UI and make sure that worked for the most part, since the login window environment is such a different beast, there’s just no real easy way of doing that validation that you’re looking for.

Tim Perfitt (00:36:50):

Oh, on top. I remember one other thing that’s kind of neat is the there’s window layering. Right? And so the login window runs so you got these different layers, right? So you have, if you’re at a certain layer and something pulls up, something’s supposed to be in front of another window, but that’s at a D a lower layer. It’ll be actually be behind that one. That’s in front of it. And I learned that, like, if you throw up an alert and you set the mole to be screensaver, which is one of the top ones, it will go back to, it will go back at a level and you’ll have to, like, you have to spin something off and say, oh, after you show it, change it to be a different level. So that was like, when you look at the logging window, there’s all these, you don’t realize it’s a three dimensional thing.

Tim Perfitt (00:37:29):

Everything’s stacked on top of everything else. And there’s these groups of levels that do it. And so X creds has basically an, a CML view that’s full screen. And then I put a, an overlay or another just a, another window. That’s a bar across that has the buttons on it. And then you think, oh, I wanna show an alert. <Laugh> and you gotta realize, where are you showing it from? If you’re showing it from the bar versus you’re showing it from the other one they’re at different levels. Right. And so you think your code’s not working because the it’s not showing, but it is showing, but it’s completely hidden by something else. So it’s, it’s the login window is a special beast.

Tom Bridge (00:38:04):

Hmm. That is probably the understatement of the year. <Laugh> we will mail you your award. It will be properly framed. And you know, we’ll go quiet

Charles Edge (00:38:14):

Understated though.

Tom Bridge (00:38:16):

Yeah. Hey, yeah. Frame bridge. They’re, they’re, they’re really great. They’re not a sponsor of this podcast yet, but you know, they, they do some very nice work deploying, managing, and protecting apple devices at work. Shouldn’t be difficult to require several solutions. Mole is the only apple unified platform for business by combining enhanced device management, endpoint, security, internet privacy, and security, single sign on and enhanced and apps management into a single apple only platform. Businesses can now easily and automatically deploy, manage and protect their apple devices with one solution and add an affordable price with a solution for every business size and the best support in the market request your free account today and see firsthand why MOS is more than an apple MDM. Mosel is everything you need to work with apple to learn more, visit business.mole.com that’s business dot MOS, y.com. You know, so apple made some big announcements this summer about single sign on and about working with IDPs and using their new platform, SSO module that’s associated with, you know, the, the original, like single sign on extensions that we’ve all been, you know, hearing about, but maybe not seeing quite as much in the marketplace.

Tom Bridge (00:39:34):

So when you started working on X creds, was there any thought to like, look at platform SSO as well? Or was it just, Hey, maybe the architecture’s wrong for this?

Tim Perfitt (00:39:46):

So if we go back to we’re talking about how it was actually funded, it was commissioned by North Carolina state university. This was right before WDC. Right? And so one of the CU discussions we had is like, what happens if we fund this project, then find out that apple is gonna include that same thing in the OS. And so there was some discussion around that and then the thought there’s not everyone runs the most recent version of the OS as well as, you know, apple always doesn’t usually do everything kind of thing. And so when WWC came out, it was one of those like, oh, plus I was saying like, I don’t think they’re really gonna do that. Yeah. I won’t do that. And of course, apple had platform SSO, which looked like it pretty much did everything that all these other folks are doing in that same space.

Tim Perfitt (00:40:28):

Right. But then when you look at it, it really seemed like the target audience was the IDPs themselves. Mm-Hmm <affirmative> to put out an app to be able to modify the login window with native UI widgets. Instead of the, one of the nice things about the HTML view is that if you go into your cloud console and say, I wanna turn on multifactor CA authentication require push require the app require SMS, whatever that view will show that you don’t have to craft your own view for it. And this means that these IDPs have to create a Mac app that is aware of all these settings you’d have varying levels of support, as well as having an app for their IDP on Mac OS for the login window, which is, I don’t know if there’s any that do that, or there will be any that do that. So we’ll see. We’ll see. Yeah.

Charles Edge (00:41:19):

As far as IDPs, I haven’t seen any of that. Do that specifically. Yeah. yeah, that’s, that’s interesting,

Tim Perfitt (00:41:26):

But it’s the user provisioning. That’s the big, like that’s when I went into this, I didn’t realize how big a deal user provisioning was. Like if I, I thought, oh, people would already have the user on the machine, but when you log in, it’s the deploying 5,000, 50,000 max kind of scenario. Right. And being able to log in when you’re at that scale, being able to have a username password that you have a single one, instead of having multiple ones from other places, it becomes very complicated and streamlining that. I think that’s what that nomad login did a really good job of is being able to create that and allow you to go from the very beginning. I remember when Joel first was talking about that, it was like, you know, how does that affect me? Like, I don’t care about that. I create a user account.

Tim Perfitt (00:42:06):

It’s not a big deal. And he’s like, it’s not your audience. It’s not, I mean, it’s people that are handing out these laptops, sending ’em to home, wanting you to sign in with the only username password, you know, when you don’t know anything about the machines yet. And except maybe that they’re gonna enroll on MDM automatically. So the platform SSO is like, it’s very exciting, right? This space is great. Being able to authenticate with your well, even without a password would be great. We’re not quite there yet, but moving in that direction to see that. But I don’t know, it’s, there’s still a lot of innovation to be done in that space, I think. And I think there’s customization that Apple’s not gonna cover.

Tom Bridge (00:42:43):

Agreed. I let’s take a side detour here and talk a little bit about pass keys here for a second, cuz there’s been a lot of, you know, conversation about passwordless authentication coming out here based on public key cryptography and of things along those lines. Do you, can you see a world where PA keys are viable for, you know, identity in enterprise?

Tim Perfitt (00:43:07):

Well, fast keys is like the vendor specific version of Fido, right? It’s the next version then go next. And so the, I was just reading, somebody just shared an article with me about how one of the big deals was being able to synchronize your keys between your devices and Fido as an open source or as a standard. Wasn’t really dealing with that. And I, what we’re seeing is Google with Android and apple lift iCloud synchronization, be able to synchronize those keys and being able to provide that seamless login, which I don’t know, I have got two minds about that. One is that you really don’t wanna offloaded key from a device where it should be in the enclave and do that. But also you want to be able to not write things down in sticky notes or have these password managers with everything. So it’s, it’s, it’s evolving

Charles Edge (00:44:00):

If the key is encrypted. If the pass key is encrypted by the key in the secure enclave, then you would have to have that key resident on another device, right?

Joel Rennich (00:44:13):

Yes. Which is why it isn’t what you can transfer them.

Charles Edge (00:44:18):

Yeah. It, it seems kind of contrary to the original intent of Fido, you know,

Joel Rennich (00:44:25):

It, it does. And, and when I you know, attended some of the Fido meetings and stuff, and this was a big deal within Fido in that it was a massive sea change from the original intent. And it was a bit of an existential, I think, oh, maybe not crisis for Fido, but definitely a a time for them to reassess what the real value of Fido keys were and, you know, apple, and you can read Ricky Mand. And I think some of the few other apple engineers behind this are on Twitter. So you can get some of the feedback directly from some of those folks. And they’re very positive about they wanted to make it as easy and as simple as possible about passwords. And so they explicitly wanted it to be transferable in that fashion. And I, I get that right because at, at the end of the day, I don’t know, I did a session was it objective by the sea? And I talked a lot about, about my personal hesitations, about some of the issues with the Fido protocols and things like that. But then at the end of the day, it was like a hundred percent. This is better than passwords. There is no way, no matter how you spread this, bake it, chop it up, whatever that a Fido key is, is less good than a password. Right.

Tim Perfitt (00:45:45):

But this Joel, is it better than this?

Joel Rennich (00:45:47):

And for, for those of you at, at home, Tim is holding up his apple credit card. Now not <laugh>, he’s holding up a blank smart card. That looks a lot like the apple credit card.

Tim Perfitt (00:46:00):

Oh, okay. This is even more sleek and stylish doesn’t have any writing on it. Is that

Joel Rennich (00:46:05):

The old, not metal?

Tim Perfitt (00:46:06):

Is that the old like crypto card? This is a PI key. It’s just a generic it’s just a very PI card that we do it, which we also have. We sell these Bluetooth readers that do it, that the government loves because it’s mandated to use these for a lot of applications, but I’m, I mean, my point comes to, but yeah, yes, it’s better to passwords. And instead of carrying your password on, I really see that Fido was really seemed focused on the fobs, right? Mm-Hmm, <affirmative>, you’d have the secure things that you would plug in and it’s pretty clear that the phone would become that thing with the secure enclave. But the problem is you could get a new phone every two to four years, and

Charles Edge (00:46:43):

Everything’s encrypted with the E CT that comes out of that secure enclave.

Tim Perfitt (00:46:49):

Well, just the thing is like, I wanna keep all my secrets here. I can’t move that over. Like take the SIM card out, whatever move. That would be nice, right. To keep that store of it. But you wanna do everything with the internet through the cloud, through cryptography. And so how do you do that? In fact, I it’s one of the reasons I moved off of Google authenticator, they might have a way to back it up now, but I lost, I switched phone do, and like, I couldn’t multifactor anything else, basically locked out, had to reset everything and Microsoft had a way to do it, but there’s, again, two minds. I wasn’t happy that I was having somebody in the cloud store on my password or my, whatever, my keys that are generated for this multifactor. But at the same time, I still need to work. Right. I still need to get into things to be able to do things. So I don’t know. It’s, it’s a hard problem.

Joel Rennich (00:47:31):

Well, and that’s the flow on Fido would be that you would generate a whole new set. Right. And this is one of the things that as humans, we’re thinking about passwords, and we’re thinking about a password as one specific thing for an account, right? You have one password and the concept of having multiple passwords for that same account is bizarre. Right? How, how would you do that?

Charles Edge (00:47:51):

It’s not that bizarre. I mean, you just have multiple tokens the same way you have multiple API keys.

Joel Rennich (00:47:57):

Well, with Fido. Yes. Right. But for, for grandma, for your average user at home, your concept is you have a password, right? It’s some eight to 24 characters and you can’t have two of those for an account. You can only have one with Fido. You can have multiple pass keys as Charles is pointing out like API keys. And so that I think was the original intent with Fido is that you would get a new device before you got rid of the original one. You would then somehow sign to all of your new services through the old device. And somehow share that with the new device, reset your password, whatever. But yeah, it’s a, it’s a real pain in the rear to do that dance. And so that’s why a hundred percent get the idea of being able to synchronize these keys across devices is pretty cool. It’s gonna make the adoption of Fido and the use of that much higher. Fantastic. It’s gonna push passwords back further and have people be more secure. Fantastic. It’s hard to argue against that.

Tim Perfitt (00:48:57):

So I do, I’ll give you a little bit of an argument, right? This is happening multiple times, right? You got a brand new iPad. Like I have here or a new one, let’s say this is a new one. And the, it comes up and it says, you wanna set it up? The easiest way is to hold your phone next to it. Right. Mm-hmm <affirmative> so you do that. Mm-Hmm <affirmative>. And as soon as you do that, so if I have a test, this is a test when I’m using for smart card development. I wouldn’t only set up a test user, but it’s so easy. Just go like this. Right. Mm-hmm <affirmative> and then my QA person I’m like, ah, go test this out right now. I just handed over my life. Right?

Joel Rennich (00:49:26):


Tim Perfitt (00:49:27):

It was easy.

Charles Edge (00:49:29):

That’s not something most people do. I don’t think.

Joel Rennich (00:49:33):

Yeah. I’ve not

Tim Perfitt (00:49:34):

Needed iPad. Really? You don’t think you’re setting up your wife’s computer? I don’t know. It seems it’s so easy to be able to set it up with those, all the machines in the office. Like you have a kiosk, I’ll go ahead and use my iCloud account. Otherwise I’ll have the great one. It just becomes so

Charles Edge (00:49:47):

Easy. I haven’t done that for years. I mean, I have dedicated, you know, accounts that I do that kind of stuff with that I assume are not trusted. They don’t have any information in them. So

Tim Perfitt (00:50:01):

How, how many Charles, how many test machines do you have?

Charles Edge (00:50:04):


Tim Perfitt (00:50:05):


Charles Edge (00:50:06):

But none of them not, I am diligent. <Laugh>, you know, I I’ve worked in organizations where people just grab an iPad off your desk to test, right.

Tim Perfitt (00:50:17):

My point isn’t that you shouldn’t do it. Right. But apple wants you to, oh my God. Do they want you to you sign in? And it’s like, do you wanna do your iCloud? No. You sure you wanna do it? Okay. It prompts you to do this. You can’t get this. Now you try to log in. Oh, I just wanna grab my key chain, my password. We’ll just synchronize your password. Just go ahead and put that one thing in and everything will be fine. And as soon as you do that, everything is fine. But now that machine, you have to control that machine. And that’s why it becomes, I don’t feel like I control where everything’s synchronized out. In fact, I know I don’t cuz somebody calls the office and like four machines around me rings my cell phone because you know, it’s all,

Charles Edge (00:50:52):

<Laugh> it rings in the map as well.

Tim Perfitt (00:50:55):

Yeah. I learned our lab janky. This one we have in like the conference room is started ringing when my cell phone rang it’s cuz I had signed into iCloud on it and I’m like, ah,

Joel Rennich (00:51:06):

Yeah, didn’t mean to do that. No having access controls around those would be, would be better. Absolutely.

Charles Edge (00:51:12):

Device space to ACLS

Joel Rennich (00:51:14):

<Laugh> or anything. Right. Just for the user. Right. Cause right now once it goes into iCloud key chain, it’s everywhere. Yeah. You don’t have any opportunity to say who you can share it with. I mean something’s well

Charles Edge (00:51:26):

It’s everywhere. 75 or 80% of the time.

Joel Rennich (00:51:30):

<Laugh> fair enough. It’s maybe not a hundred percent, but not your choice for what that 15,

Charles Edge (00:51:36):


Joel Rennich (00:51:36):

Is. That’s the

Tim Perfitt (00:51:37):

Difference if only airdrop worked as well as iCloud drive to

Joel Rennich (00:51:40):

Synchronize though. I mean, there’s some things we recently had some hail here, so we’ve been negotiating some insurance payouts for the roof. Right. And my wife and I both are trying to sign into the same account at the same time. It’d be fantastic to have a shared key chain, just like in the WWDC session where I could hand her this pass to my state farm account. And then she would be able to sign in as me cuz some things are under my name. Some things are under her name apparently and that’s dumb. So this way we could solve all that. But then there’s a lot of other things that I’m not certain that would be an appropriate action to have. You know, current employer would not be excited about me sharing, you know, my access to Google drive or something else like that to my wife.

Joel Rennich (00:52:27):

Even though I may be, you know, interested in that so she could see my calendar and know when I wouldn’t be around. But so having that access control would be fantastic. Even worse, maybe not worse, but as long as we’re on Pasky here, I could share a Pasky with you, Tim. I think they showed that at WWDC. I think there was some conversation about maybe pulling that back. But then once I’ve shared that PAs key with Tim it’s like the connection is broken. He, he can, I can’t pull it back. I can’t say, you know, sorry. I didn’t mean that

Charles Edge (00:53:01):

Even though the technology is very similar to like in Facebook, if you change your password, it asks, do you wanna revoke this key from all other devices? Mm-Hmm <affirmative> I mean, it’s, it’s almost identical technology.

Tim Perfitt (00:53:13):

So I think that the core goes down to what identity is, right? Who controls your identity right

Joel Rennich (00:53:20):

Now? And our end, we’re getting to the, the meat of this conversation,

Tim Perfitt (00:53:23):

Who it is it to be and iClouds really interesting. Right. And Pasky is really interesting cuz instead of saying we’re the authority they’re saying we’re gonna, we’re gonna rap and con and kind of manage all your stuff for you and that’s and Charles that example gave with Facebook, revoking him that they’re the provider, the ID they’re well, they might be an provider, whatever they’re providing that function to be able to do it. And the question is, is like, how does Pasky interoperate with all these other things that wanna control your identity? And the thing is it’s the person should control the identity, right? You don’t want to have the centralized authority do

Charles Edge (00:53:59):

It. Yeah. I, I, I would assume granular controls like that. Being able to rev revert, revoke per device or per user will be version three or four. That to me that seems imminent. Like there’s just no choice not to build it eventually.

Joel Rennich (00:54:17):

Well, many systems that allow you to use Fido should show you all the current existing Fido keys. Right? Because that is an important piece. Absolutely. What we’re talking about here. The problem is that most people don’t know cuz they’re just random, alpha numeric strings. And the whole point about Fido is protecting the user privacy. So the system you’ve given or created this key for doesn’t even know what device it came from, what anything other than it’s associated with this user. So it is somewhat complicated to try and figure out which one was the right one. If I go into like an, an Okta test account, I had I’m I had like 25 different fi keys associated with it and no way in heck what did I have any reason to know how to remove one or where they were even set,

Charles Edge (00:55:05):

But they were all yours as opposed to you sharing them with another human.

Joel Rennich (00:55:11):

Sure. But if I had shared it with another human, what would be the difference in that UI? It would be exactly the same. It would be here’s a random, alpha numeric, right? Cuz I, I, I haven’t done much work with PAs keys directly in the Okta interface for example, but these were all, I’ve got a massive of, of UBI keys, right? Probably like a dozen of them on a key ring. And so they would be keys spread out between these dozen phyto keys that I would have no idea where they went to. And with a PA key it’ll look exactly the same because the beauty of a PAs key is that the system doesn’t realize it’s not a phyto key in the normal sense. And so, and, and that’s where I think things get a little more interesting. It, it it’s, these are all good maneuvers to have it increases security. It gives customers, it gives consumers a lot more flexibility with how they do passwords, but there are some follow on effects that I think, I mean, well, frankly, it’s, it’s what keeps all four of us in business. Right? <laugh>

Tim Perfitt (00:56:10):

<Laugh> well, it’s, it’s interesting to me that, I mean, you can have the you can turn off key chain syncing up through the current OS, but I believe that’s changing. Right? So you don’t really, it’s one of those things that are built in now. Right. So how much control do you have over it? Which I guess it’s drive, it’s putting boundaries, right? Your boundary used to be the device right now. It’s all your devices tied together by iCloud and saying that’s one security zone. Like if somebody gets inside that security zone and we’ll see, you know, does Facebook get included inside of that? I mean, as it, as it grows out, who’s gonna become the who’s gonna help us manage our identities. And it’s not even one identity. Why give your work identity? And you have your personal identity and you have your gray man identity

Charles Edge (00:56:59):

<Laugh> and for any, I mean, for anyone who’s got a crypto wallet, you know, we, we all have a bunch of these, right. So it’s not like we’re talking about one I one, I, you know, to your point, the there’s the gray man identity for, I guess your crypto wallet or your CIA operations, whatever <laugh> but

Tim Perfitt (00:57:22):

Actually have multiple CI operations going on just like Joel and Okta. I have 26

Joel Rennich (00:57:26):

XNA on the,

Tim Perfitt (00:57:28):


Joel Rennich (00:57:28):

AC operations, Tim.

Charles Edge (00:57:33):

It is interesting how, you know, it all goes to me, it all goes back to key chain, the original send because all of these passwords and pass codes are just sitting in there for the pinging perhaps, right?

Tom Bridge (00:57:51):

I mean currently. Yes. But like once we get into pass keys, no. I mean, because those are, those identities are part of the SEP, right?

Joel Rennich (00:58:01):

No, they’re not, that’s the problem, right?

Charles Edge (00:58:03):

Yeah. They’re, they’re encrypted with keys.

Tim Perfitt (00:58:06):

Yep. That’s the big

Charles Edge (00:58:07):

Deal. They’re encrypted with the elliptical keys, but they’re not actually in that zone.

Joel Rennich (00:58:12):

I, I would even hesitate on saying they’re encrypted with anything from the secure enclave. It depends on the use case. As soon as they get into the key chain on the Mac, right? The iOS is a little bit different of a beast. But on the Mac, if you can lift that key chain, I guess they’d be in the local items. Well, we can get into the vagaries of that there, but the, the end result is that they are not device bound in any way. They may be protected by device protections, but they’re not device items.

Charles Edge (00:58:40):

Well, you can’t decrypt them from another device because the other device has a different ECC key

Joel Rennich (00:58:46):

Until you type in your iCloud password and everything else comes down.

Charles Edge (00:58:50):

Yeah. But the protections like <laugh>. So going back to something Tim was talking about, if you have an extension, you can’t pipe any object that a key chain into your app anymore. Like there’s, there’s a whole bunch of little weird restrictions around how that information can, can flow in and outta sandboxes. If that makes sense.

Joel Rennich (00:59:12):

A a absolutely there there’s a, a bag of screaming cats of, of things. Some are intentional, some are just the way it works. But at the end of the day, your past key is in iCloud. It’s encrypted in iCloud. Let’s not, you know, especially with missing texts that have gone recently and things like that. It, it’s not just floating loose out there, but it is not device bound in any practical way because you can have them boots strapped another device.

Tim Perfitt (00:59:41):

So let’s bring up one other point that comes with the fact when you don’t store it in something, in something you have direct access to the actual keys, even in the encrypted form is that we talk about a phone it’s in the secure enclave basically instead of paying the FBI, paying a million dollars to get somebody to crack it, if you get access to your backup of the iCloud, be able to synchronize it, the problem with something in the secure enclave, you have an OS on top of it inside the secure enclave that can erase it. If you try too many times, if you have access to the raw material, you can bang on it all day long. And it’s just a matter of expense and computing power. And so that for me, is like when you synchronize it out and that’s goes back to what the smart cards, I mean, that’s secure enclave on a chip. It has an OS that’s running, you don’t get access to the material even in the encrypted form. And that means you can’t bang on it. And it’s not just limited by nation state or computing power or com or like they find where there’s vulnerabilities and algorithms. And all of a sudden, instead of taking 10,000 years, it takes, you know, 15 minutes.

Joel Rennich (01:00:41):

And now getting back to his CIA operations

Charles Edge (01:00:45):

Here, I mean, that’s the most dangerous part is the flaws and the algorithms or the flaws and the mechanisms that put information into the algorithms, I guess,

Joel Rennich (01:00:54):

Is, is now when we talk about post quantum,

Charles Edge (01:00:58):

Oh God, I don’t think we have enough time for that.

Tim Perfitt (01:01:02):

Postum I don’t know we had quantum yet. Did we get how we reach quantum

Joel Rennich (01:01:05):

We’re in quantum we’re in quantum? No, I guess we’re not quantum yet. So

Charles Edge (01:01:09):

I would say we’re in semi quantum we’re in pre anti post.

Tim Perfitt (01:01:13):

Quantum has the Epstein drive

Joel Rennich (01:01:14):

Invented yet?

Tim Perfitt (01:01:16):

I don’t think the Epstein drive has been invented yet. We gotta away from that,

Charles Edge (01:01:18):

The Epstein drive. But I mean, if you read some of the papers that have come out of whether it’s Microsoft’s quantum cryptography group or some of the others, I mean, they are able to cut some of this it’s still, you know, years, but then when was the last time you changed your key chain password <laugh>

Joel Rennich (01:01:39):

Days for, for dear listeners at home post quantum is the concept that all of the encryption that we kind of know and love today is probably gonna be rendered completely trivial by any real quantum computer. And so N is currently working on a whole new slew of algorithms.

Charles Edge (01:01:58):

They have been since the nineties,

Joel Rennich (01:02:00):

They have been since the nineties,

Joel Rennich (01:02:02):

This is fast in, in cryptography times, but maybe not in Twitter times. And there is a great reckoning of some sort coming in the future where RSA elliptical curve, all of these things will be, be able to be broken trivially. And the, the real interesting aspect this got brought up on, on a podcast I listened to was kind of the, the thought that, yeah, you know, there’s massive amounts of encrypted data out there, right? Most of which we’ve all forgotten about, but at one time, sometime in the future, it’s gonna be trivial to decrypt that. So if you are hoovering up all these communications going on out there today, that people think are completely safe, you’ve stored your Facebook account in an iCloud pass key, and you think you’re fantastically, okay. At some point in time in the future, all that data that’s been hoovered could just be opened up. And, you know, it’s an interesting thought that the secrets, I mean, was it sneakers, was that really bad? Robert Redford movie,

Tom Bridge (01:03:02):

Really great. Robert Redford movie, that movie is amazing and I will fight anybody who says otherwise,

Joel Rennich (01:03:08):

<Laugh> nice. What was the tagline? Everything is open or something

Tom Bridge (01:03:12):

Like that. No more secrets,

Joel Rennich (01:03:13):

No more secrets. There you go. So Ctech

Tom Bridge (01:03:15):


Joel Rennich (01:03:16):

When quantum, quantum cryptography finally comes out and they’re able to crack RSA and ECC, then no more secrets

Charles Edge (01:03:24):

Or I, I, I don’t even think it has to be quantum cryptography. I mean, the thing is we’ve been on this thing ever since RS was at MIT in this, what sixties mm-hmm <affirmative> that cryptography is based on these asymmetric healing links that are just trying to outrun the CPU speed and Moore’s law, the CPU speeds keep doubling. Right? So if I got some magnetic tape from 1970, it might be trivial for me to crack to Joel’s point the, the encryption that was used on that magnetic tape from that decade, but introduce something like quantum cryptography or 0.1 nanometer transistor sizes in CPUs. And if you get a jump tenfold in CPU power, then the likelihood of all of our encryption, just not making sense, because really we’ve just been using the same techniques with bigger keys, you know, so,

Tim Perfitt (01:04:31):

Well, I think, I think it’s not just more star cuz it’s, it’s, we’re talking about doubling every 18 months versus 10,000 years to decrypt something. It’s really the vulnerabilities they look at. And, and it’s a number of keys, right. Going 2048 to 4 96 gets incredibly large. But I don’t know if it’s we’re not just, we’re not just outrun it. Right. We’re a decade ahead kind of thing. And I think if we do that, what problem with quantum is it could change that to being, you know, now that horizons

Charles Edge (01:04:59):

That’s what I mean. Yeah, exactly.

Tom Bridge (01:05:01):

Well, I always go back to the Neil Stevenson book if you’ve ever read cryptonomic and you know, I was gonna say that I read that God the summer of my junior year in college and it kind of changed my brain for many ways, but you know, you think a little bit about what Avi’s talking about in that book. As long as men are capable of evil, I want this to be encrypted. And I was like, I, I don’t think the key material can be that large of it, but <laugh> you know, they were talking about 40, 96 bit keys 20 years ago and those keys are still safe today, as far as we’re aware and probably will be for some time. But those are the kind of things that you have to think about how long do you want to actually keep something secret? How long do you want to essentially say that the material you’re about to access or the action you’re about to take as a user is really actually done by you?

Tim Perfitt (01:05:51):

Well, it really comes down cost benefit, right? Like the, you can crack my iPhone and get the secrets out of it. Right. But it’s gonna, Cian state actor is gonna do it unless they have really bad spas password, let’s say have a good password to

Tom Bridge (01:06:02):

Do it. No Kanye would’ve

Tim Perfitt (01:06:04):

One, one. Yeah. That kind of, that kind of thing, by the way, I’m not a big fan of Kanye, but I I’ve thought about that. The 1, 1, 1, 1 you’re talking about in the old office when he did that, if I was gonna go in the old office and bring my phone in, I would change my password to be 1, 1, 1, 1, 1, right. Because otherwise it would see

Tom Bridge (01:06:22):

Where my password, my phone into the

Tim Perfitt (01:06:23):

Al yeah. I would

Joel Rennich (01:06:24):

Think you’re assuming a level of prep that is maybe,

Tim Perfitt (01:06:29):


Joel Rennich (01:06:29):

Not. But I

Tim Perfitt (01:06:31):

<Laugh>, I, I, yeah,

Joel Rennich (01:06:33):

You’d use your face is what you’d use and then you wouldn’t have to have this problem there.

Tom Bridge (01:06:40):


Joel Rennich (01:06:41):

But if you did hack Tim’s phone, all you’d see is pictures of Teles. And

Tim Perfitt (01:06:46):

I, my fun, my son has gotten me to unlock my phone, trick me into looking at my phone and unlocking it. Right. It’s not that hard. The, so the thing is we talk about these key sizes, the social engineering, it’s the easiest way about it, right? Oh yeah. It’s really good. I mean like

Joel Rennich (01:07:01):

XKCD man with a wrench. Yeah.

Tim Perfitt (01:07:04):

Or just somebody promising you something that’s too good to be true. Right. Just sign it over. Yep.

Tom Bridge (01:07:11):

<Laugh> so I, I had a whole set second set of questions here, kind of on the state of identity between windows and Mac O S as well as how maybe should identity work on Mac O S and I wanna save those at this point. I wanna save these for a future episode. I feel like I wanna have a little bit of a part two for this later on. Talk about some great guests. I’d love to have a part two. Yes. Yeah. You guys wanna come back in a couple of weeks and we’ll keep talking about this.

Joel Rennich (01:07:36):

Well, in a couple of weeks, we probably should know more about platform SSL. Yep. And I think that’s something that ties very closely into what X creds is already doing. As you know, we’ve kind of already chatted about that some already but it’d probably be really good to absolutely catch up about that. Get deeper into X creds and see where we go from there.

Tim Perfitt (01:07:57):

Yeah. That’d be more than willing. That’d be great.

Tom Bridge (01:07:59):

Fantastic. Here at the Mac admins podcast, we wanna say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. SBAA. Thank you, Adam. SBY. Thank you, Nate walk. Thank you, Michael Michaels. Thank you, Rick goody. Thank you, Mike Boylan. You know it. Thank you. Melvin Vive. Thank you, bill. Steits. Thank you. A new store bill. Thank you. Jeffrey Compton, M marsh Stu McDonald Hamlin. Cruin Adam Burg. Thank you, AJ. Petrek. Thank you, James Tracy, Tim. Perfect of two canoes. Thank you, Nate. Sinal will O’Neals Nash the folks at command control power, Stephen Weinstein, Che Swarthout, Daniel McLoughlin, Justin hol, bill Smith. And Welden DOD. Thank you all so much. And remember that you can back us if you just saw head out, out to patreon.com/m ADM podcast. Thanks everybody.

Tom Bridge (01:08:57):

So we’ll put a pin on that one and, you know, come back to it. But, you know, I, I think that for a bonus question this week, I would love, and you’ve got my brain thinking about sneakers, right? Because again, one of my top five favorite movies of all time, not gonna lie, love that movie totally holds up the voice authentication system. That’s in that movie. My voice is my passport. Verify me right. Like that’s what you need to get through the little like security murder room in order to get into the the guy, the guy’s toy factory or, or, or whatever his office was in, in the particular piece, it’s a crazy bit of authentication or it’s a crazy bit of authorization and

Charles Edge (01:09:38):

Authentication. I mean, I did it with Wells Fargo yesterday.

Tom Bridge (01:09:41):

Nice. I was gonna say I’ve, I don’t think I’ve ever done like a voice print authentication.

Charles Edge (01:09:46):

Wells Fargo does it.

Tom Bridge (01:09:47):

They do. Oh, on the phone.

Joel Rennich (01:09:50):

What’s what’s the pass phrase that you have to say and wait until I hit the record button.

Charles Edge (01:09:55):

I mean, you could stitch it together with all of our previous episodes. I’ve said those words, but you have to be calling from my phone for it, to it, to do it, but then you just SIM Jack me. It’s all good.

Tom Bridge (01:10:06):

Well, and I think that, that takes me to my question, which is what is the most like what, what is your favorite like rub Goldberg you know, ID check device protocol that you’ve seen just in terms of like, I cannot believe that this is what you’re actually having me go through in order to do this

Charles Edge (01:10:27):

American express, checked my credit and asked me questions for my credit report, which I thought was creepy and conniving and kind of cool all at

Tom Bridge (01:10:37):

The same time.

Joel Rennich (01:10:38):

<Laugh>, I’ve, I’ve been through that where they give you, like here’s three streets, which one did you live on?

Tom Bridge (01:10:44):

Yeah. Which model of car did you own at one point is another good one that comes out of that.

Charles Edge (01:10:49):

Yeah. Yeah.

Joel Rennich (01:10:51):

I gotta say the creepiest, so recently one on a cruise. And you sh you have to have, you have to be vaccinated before you got on the boat. Fantastic. Great. But then you had to show a COVID test, right. And we’ve probably all been through this in our lives over the last bit, and this isn’t quite authentication, but it’s definitely authorization where you get on a zoom with some poor bastard, who’s gotta watch you spit in a tube or swab your nose, and then point the camera at this COVID test <laugh> for 15 minutes just to prove that you don’t have COVID. Wow. And, you know it doesn’t take much of a security researcher or anybody to realize maybe there’s a few holes in this. I don’t know that there was a better solution, but it was definitely COVID theater. Right. you know, I, I’ve got plenty of negative COVID tests and some positive ones over the last few months. So it would’ve been very easy for me to swap in one thing for the other, I was thinking should

Tim Perfitt (01:11:57):

Call up a pregnancy test.

Joel Rennich (01:11:58):

Yeah. <laugh> <laugh> I was thinking they’d at least check the barcode on the test before and after I did the drops into it, but they didn’t do that. So that, that, that I think, I mean, it’s not, my voice is my password, but it seems like an amazing amount of feed to that’s trivial to, to bypass.

Charles Edge (01:12:21):

How about you, Tim?

Tim Perfitt (01:12:23):

I’ll give the anti example, which is, I still run into, I have to send financial documents and they’re like can I email them or upload? ’em Like, oh no, no, they’re secure. We need ’em to fax. You need ’em fax ’em over.

Tom Bridge (01:12:35):

Yeah. <Laugh>.

Tim Perfitt (01:12:37):

And this is like to my financial advisor, to the loan officer. And I’m like, the people that should know about security I’m like, do I tell them about how it’s really easy to get to listen on a telephone lines? Would beep and bloops and turn it back. I mean, it’s, and it’s in the central area and it stares at memory and, oh my God, how many reasons that this is bad, but that’s convoluted. It’s where you go. You have this PDF that you print out, that you put on a fax machine, that’s sent over to another fax machine, and then they scan it in and put on their computer. And that’s the ski method.

Joel Rennich (01:13:12):

Do you go to the local grocery store to use their fax machine?

Charles Edge (01:13:16):

And that’s still how you submit your letter of intent to play college football. Nice. All right.

Joel Rennich (01:13:25):

You’re, you’re getting ready for the, for, for new family here. Is that what you’re doing you again?

Charles Edge (01:13:30):

Oh, I was gonna go play football now. Yeah. How about

Joel Rennich (01:13:36):

You still have eligibility left? Is that I guess pro you’re always eligible, right? Is that

Tom Bridge (01:13:40):

There? There you go.

Charles Edge (01:13:41):

<Laugh> I

Tom Bridge (01:13:42):

Dunno. I think, I think for me, what it comes down to is like the, okay. So if you’ve ever lost your social security card, do that, you can go to the security would one, don’t do it. Number two, when you do the, the things that you have to bring with you to you know, to essentially prove that you are who you say you are, there’s a whole degree of difficulty associated with this intentional action, which is I need to no social security card. Well, prove to me you’re Tom bridge. Well, okay, cool. Here’s my birth certificate here is a or, I mean, honestly, I’d love to see somebody try and do it without those things, because you can do that without those things. You can take a bank statement, you can take a birth certificate and you can walk into the social security office, cuz the, all of these things kind of back up against the exact same system. It is an amazing web of strange trust, all put into one system, just so that you can get a little piece of paper card, which you are not allowed to eliminate. Which has no like mag strip of any kind, which, you know, I mean all of these things just to get this little piece of paper that is totally pointless. So count me as that with a number on it. <Laugh> yeah. With a number.

Charles Edge (01:15:05):

I wonder if that’s the same system of stuff they use for the real ID.

Tom Bridge (01:15:11):

Transition is a little bit different there. You actually have to have a, a photo idea of some kind to go along with it, as well as a, you know, a oh gosh, you need a residency document. So it’s gotta be a utility bill or a bank statement or any number of other things that kind of backs up into the strange trust, you know, web inter of authentication.

Charles Edge (01:15:36):


Tim Perfitt (01:15:36):

So what, let me ask a question. If you, if you’re on a trip and your wife or kid calls you and says, I really need an appointment document that you store on the computer, what’s I just need to log into your computer. What’s your password

Tom Bridge (01:15:49):

<Laugh> right.

Tim Perfitt (01:15:51):

No. Or vice versa where you need to get in your wife’s computer and you just need to a password. Cause you know, it was there, you started do it and it’s, it’s not like you’re trying to do anything deceitful. Right? What do you give out your password and then change it? Like what do you do with that, those trusted folks in your life. And it’s like, so I’ve I’ve okay, go ahead. I’ll tell, I hear how you answer it and then I’ll tell you how I answer

Tom Bridge (01:16:10):

It. I recently set up tail scale at home. And so now no matter where I am in the world, I can get back into the home computer. And so that would, that’s my that’s my, yeah. I can always get to where I need to go kind of situation, but yeah. I mean, oh, so you wouldn’t

Tim Perfitt (01:16:27):

Do I’ll do it for you. Is that what your answer

Tom Bridge (01:16:29):

Would? That’s right. I mean, that’s my usual,

Charles Edge (01:16:32):

It’s my, computer’s not my computer’s with me 24 7. So yeah, that my, I mean there are computers in the house that aren’t my daily driver, but yeah, my daily driver is with me at all the

Tom Bridge (01:16:44):

Time. I, I will also point out that, like I have a and everybody should have one of these. It’s a digital will. So it is the, you know, this is my password, this is my unlock password. This is the PRK for my personal device. This is the emergency kit for one password. This is the, you know, login password for my computer. Those things are in, you know, an envelope. I check ’em once a year just to make sure that they’re right. And they are in the safety deposit box in the, in the bedroom.

Charles Edge (01:17:16):

So I, I tried to sign, I, I thought about that, but I changed my passwords. It’s good to know that you don’t <laugh>

Tom Bridge (01:17:23):

I changed. Well again, I do change my passwords periodically and when I do change the passwords, it’s a, okay, cool. Now I have to update this document. It’s called in case of emergency it’s in a shared Dropbox folder with my wife. And so

Tim Perfitt (01:17:38):

Lets you also that

Tom Bridge (01:17:40):

Yeah, that is dropbox.com/u/ 2 6 2 5 3 9 5. Now

Tim Perfitt (01:17:46):

I’m Charles, let me I’ll nine

Charles Edge (01:17:47):


Tim Perfitt (01:17:48):

Let me challenge you on this. Okay? If you’re on a trip, you only have cell phone, whatever your wife calls you up, they’re getting ready to watch a movie on apple TV. And it’s prompting you for ged@mac.com. Charles, what’s your password. It’s just me and your kids in a trusted area.

Charles Edge (01:18:04):

It’s obviously a fishing attack because I don’t have sea edge at night time,

Tom Bridge (01:18:09):


Joel Rennich (01:18:10):

Drop the mic.

Tim Perfitt (01:18:11):

Don’t tell me I’m the only one that gets these questions. Like it seems like every couple of months I’m put on the spot. Like, no, I, oh my God, what do I do?

Charles Edge (01:18:18):

I’ve reset the HBO, the Netflix. I’ve reset them all to

Tim Perfitt (01:18:22):

You. Just give it to ’em and then reset it.

Charles Edge (01:18:24):

Well, no with HBO I

Tim Perfitt (01:18:26):

Or you reset it and tell ’em.

Charles Edge (01:18:28):

Yeah, I, I, I told them and I, every time I reset it, I have to tell them all again,

Tom Bridge (01:18:33):

You know, I, I put those into common logins in, in one password, right? Like those

Charles Edge (01:18:38):

You wanna log to my HBO account, whatever. Yeah. How that, or my Netflix, it might be annoying if you watch this show that I happen to be watching. And then that’s

Tim Perfitt (01:18:48):

Say your iCloud cuz that’s the keys to everything. That’s every one of your PAKEs do. Right? All

Joel Rennich (01:18:54):

Our iCloud family is all under my wife’s name. So it’s me calling her. <Laugh>

Tim Perfitt (01:19:03):

Right. But then you get access to all. Then you just go fast user switching, put it in, say, oh, it’s the apple TV, honey. And then you get messages to all, all our messages and all our keys.

Charles Edge (01:19:14):

I do have

Tim Perfitt (01:19:16):

Not that I’m saying, do that. I’m just saying you could

Tom Bridge (01:19:18):

<Laugh> the, the iCloud, well, the apple TV purchase method now is all done through like push alert to your phone. Mm-Hmm

Charles Edge (01:19:26):


Tim Perfitt (01:19:26):

To all of your iCloud devices.

Tom Bridge (01:19:29):


Tim Perfitt (01:19:30):

Correct. So either you gotta get somebody to approve it or have a device at home which will chime like this one or the one in my lab. You gotta control all your devices. Right?

Tom Bridge (01:19:40):

Well, we probably should start to wrap things up here. Tim, it’s been awesome having you with us again this weekend. I’m glad you’ll come back in a couple of weeks. We’ll figure out how to schedule that. Cuz I think that there’s a whole broad based conversation around how identity should work. Maybe how it’s a little bit different than, you know, it is on the window side of the house. And you know, maybe some of what platform SSO actually means. So I’m deeply thankful of course, for all of your work on X creds and all of the other work that two canoes is doing. So if folks wanna check that out, where should they go look?

Tim Perfitt (01:20:13):

Two canoes.com. We have a product page. I think it’s just two canoes.com/x creds or the main page is on GitHub, but really the way to do it is just go to, to the channel on, on, on the Mac admins, slack and just look up X credits. That’s where all the links are and that’s where kinda the community lives. So yeah, join us there and awesome. And on slack

Joel Rennich (01:20:34):

And the, the two and two canoes is spelled out.

Tom Bridge (01:20:37):


Joel Rennich (01:20:38):

Did you register number two.canoes.com?

Tim Perfitt (01:20:42):

No, I don’t do.menu Joel, because turns out that causes problems.

Joel Rennich (01:20:48):

<Laugh> fair, fair.

Tim Perfitt (01:20:54):

I never realized it would cause problems. It turns out that making a hundred or 200 different top level domains actually cause problems. Would you

Tom Bridge (01:21:01):

<Laugh> who knew?

Joel Rennich (01:21:03):

Well snap unlimited domains, but what could go wrong?

Tom Bridge (01:21:08):

What could go wrong? Well, thanks everybody for joining us this week. And it’s been a great pleasure to see everybody. Thanks of course, to our wonderful sponsors this week, that’s Kaji Mosel and black glove. And thanks very much to our brand new accessibility sponsor meter who are going to turn this lovely episode of the podcast into a transcript that you’ll be able to access directly through the show notes or through the website podcast. And thanks everybody. And we’ll see you next time.

Tom Bridge (01:21:50):

The maced bins podcast is a production of maced bins podcast, LLC. Our producer is Tom bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kuga. The first time he opened GarageBand sponsorship for the maced bins podcast is provided by the maced bins.org slack, where you can join thousands of maced mins in a free slack instance, visit maced mins.org, and also by techn LLC. Technically we can help for more information about this podcast and other broadcasts like it. Please visit podcast dot maced bins.org. Since we’ve converted this podcast to a PS. The funny metadata joke is at the end.




Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Event Name Location Dates Format Cost
ACES Conference Online 5, 12, 19, 26 May 2022 Synchronous • Thursdays 12:00-14:30 EDT (UTC-4) USD$299
MacAdmins Campfire Sessions Online (State College, PA, USA) Thursdays in June and July 2022 Synchronous • Thursdays 13:00-15:00 EDT (UTC-4) Free
Apple Worldwide Developers Conference Online (one in-person event @ Cupertino, CA, USA) 6–10 June 2022 Asynchronous • New sessions available daily Free
MacDevOps YVR Online (Vancouver, BC, Canada) 15-17 June 2022 Synchronous • 2 consecutive days CAD$50-2000
Jamf Nation User Conference San Diego, CA & Online 27–29 September 2022 In Person & Virtual $899-$1299 Education.
$1099-$1499 Commercial (pricing increases over time),
$299 Virtual,
Keynote streams free
MacSysAdmin Online (Göteborg, Sweden) 4–7 October 2022 Asynchronous • New sessions available daily Free (Optional T-shirt purchase)
Objective by the Sea El Vendrell, Spain (Barcelona) 3-5 October 2022 (Training)
6-7 October 2022 (Talks)
In Person 0-499€
Upcoming Meetups
Event Name Location Dates Cost
Mac Admin Monthly Virtual 8 March 2022, 4:30pm ET Free
JumpCloud IT Admin Network (DC) Virtual 8 March 2022, 4pm ET Free
San Diego MacAdmins Meetup Virtual 9 March 2022, 6pm PT Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free

If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon

Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!