Episode 279: XCreds Part II with Tim Perfitt
Tim Perfitt is back again to continue last week’s episode about his latest macOS app; XCreds! If you’ve ever dealt with labs, this episode is for you.
Hosts:
- Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
- Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
- Joel Rennich, Head of Device Identity, Jumpcloud – @mactroll
Guest
- Tim Perfitt, Two Canoes – @tperfitt
Transcription of this episode brought to you by Meter.com
Click here to read the transcript
Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.
- Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
- Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
- Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.
James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. Automation in IT is a hot topic and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list visit kandji.io. That’s K-A-N-D-J-I.io.
Tom Bridge:
Hello, and welcome to the Mac Admins Podcast. I’m your host Tom Bridge and Marcus it’s fantastic to see you even though you are upside down right now.
Marcus Ransom:
I’m the right way up, it’s all of you who are upside down.
Tom Bridge:
Oh crap. It’s all of us who are upside down.
Marcus Ransom:
Exactly.
Tom Bridge:
This will never get old, will it?
Marcus Ransom:
No, no, it doesn’t. It’s real. I don’t understand why people think this is a joke. It’s real. It’s my reality.
Joel Rennich:
Am I just leaning in a one direction then?
Tom Bridge:
Yeah. You’re about two degrees off center for me, depending on how that all works out.
Joel Rennich:
Well, our north is different. Magnetic north at least is-
Tom Bridge:
That’s true.
Marcus Ransom:
I prefer emotional north.
Joel Rennich:
All right. Fair. Fair.
Tom Bridge:
Is that a situation where you know you need a vacation when your emotional north always points south?
Marcus Ransom:
Yeah.
Tom Bridge:
Well, count me as going on vacation in two days. So that will give you very much where we are, but welcome back to the podcast Joel Rennich. How are you?
Joel Rennich:
Doing well. Fantastic, this is why you live in Minnesota for this one set of three or four golden weeks, where it is goldilocks weather out there.
Tom Bridge:
Yes. And Tim Perfitt, also welcome back to the Mac Admins Podcast.
Tim Perfitt:
All right. Well, thanks very much for having me.
Tom Bridge:
I was going say we got you guys both two weeks in a row and so I feel like we’re super spoiled. We moved our schedule around, we had an opening all of a sudden and this is great. We get to finish our conversation that we started last week.
Joel Rennich:
Hold on, hold on, is this the first two parter?
Tom Bridge:
Yes, this is the first two parter, it’s like in row.
Tim Perfitt:
Oh, nice.
Joel Rennich:
Oh.
Tom Bridge:
We’ve had return guests before, but we’ve never hit the point where we ran out material, or ran out time before we ran out of material.
Joel Rennich:
Running out material is easy.
Tom Bridge:
Running out material is something we do every week, eventually. But this time we’d gotten to the end of the hour and then we went over the hour, an we still had a fair amount of bullet points left on the discussions to have. And so I’m very grateful that you guys could both find some time to come back and join us. And I think when last we left our intrepid heroes, we were talking about XCred and we were talking about the state of identity on macOS generally speaking. So if I could ask you each, you both have a ridiculously large quantity of experience dealing with identity states on macOS. Joel, I think back more than 20 years ago when we first started looking at OD together and you explained how Kerberos worked, that was a long time ago. What’s our current state of identity on macOS, is it any different than it was then?
Joel Rennich:
I would say that it is not dramatically changed. There is a certainly I think a little more awareness of Apple, Apple has spent most of its time on Managed Apple IDs, and in identity for more of the consumer space. Apple has done some great work on using iCloud, for example, iCloud Keychain, iCloud Keychain sharing, these kinds of things from a consumer perspective. But Apple has largely left the enterprise, or maybe I will just say organizational, let’s even cascade this down to education, small business, everything, let’s just not focus on enterprise. But I think Apple has left that mostly alone with a couple of blips with Apple Business Manager and things like that, where they’re dipping the toe into the water of federation with various identity providers. But I would say in general, you’re still using a username and password to log into the Mac. That password is not in the cloud, at least not when it comes out of the box as Steve intended. So we’ve got a lot of things there that I don’t think have generally changed since we started talking about dare I say the Cylinder of Destiny.
Tim Perfitt:
Let’s let’s think back. So you can log in with your iCloud password now to your Mac, right?
Joel Rennich:
You could, that got taken away.
Tim Perfitt:
Oh, I didn’t know that’s gone, when did that disappear? I never used it.
Joel Rennich:
I think it disappeared when Apple started getting subpoenas for people’s Macs, because they might have the iCloud unlock keys.
Tim Perfitt:
And if we go back further I’m just thinking about things that have changed. So there are some improve big improvements with FileVault. Remember when FileVault one was basically a disc image and it was locked.
Joel Rennich:
Absolutely. Absolutely.
Tim Perfitt:
Now they did a huge amount of work and be able to unlock the disc or at least that partition. And now when you boot into a recovery, you have to unlock that one as well. So I think that that’s, I don’t know, I’m just trying to figure the benefit of the doubt. There are some things they’ve changed, but it’s very much focused on the offline consumer piece-
Joel Rennich:
Absolutely.
Tim Perfitt:
… I believe.
Joel Rennich:
And I very much agree with you. Security has gone through the roof. You could easily make an argument that the Apple platform has become more secure than pretty much anything else out there, in subtle ways. It doesn’t punch you in the face like, “Oh my God, I’m secure.” But it is subtly secure behind the scenes in that this is a great operating system, that values your privacy and focuses on keeping you from doing silly things, not impervious by any means. But if we look at specifically identity, so the idea of who you are, how you express that, how you share that with others, mostly what you’re getting out of the box is back to that Managed Apple IDs, iCloud basket of services.
Joel Rennich:
And will not maybe intersect so much regardless of how much Apple would Managed Apple IDs to be a bigger thing with what you may be doing in the outside world, or what you’re doing at your organizational, school, education, enterprise, space. Even if we go back to FileVault, we do have the ability now to escrow keys, to do some of this, which is great. All of that’s predicated on MDM, almost none of it has anything to do with actually your identity. It’s all based more so on your device that you’re part of or potentially your iCloud account, so again we’re going back to the local aspects.
Joel Rennich:
So FileVault’s great, the security is fantastic on there. And I think Apple’s done huge amounts to promote security in this world. And doing a lot of things with security that’s not just punch you in the face security like, “Oh my God, it’s secure.” But subtle things behind the covers, iCloud Keychains, the ring of trust and things like that they have there is fantastically cool. But that, again, isn’t really linked to your enterprise or organizational identity. You can escrow FileVault keys, that’s fantastic, that’s MDM, but that’s done on one or two levels. The first one is it’s done at the device level with MDM just creating a PRK that you can use. Or if you sign in personally, it’s done at your iCloud level where you’re saving these escrow back into iCloud or whatever else. It’s really not focused on some sort of Azure, Okta or otherwise organizational identity.
Tim Perfitt:
Well, if you take a step Apple did a lot of work on the two factor authentication with iCloud, and you do have this idea of an Apple ID. If you go back when it was you could insert different mechanisms to authenticate, active directory, open directory, LDAP all those different things. It always tied into your home directory and mobile accounts, and that caused all sorts of lagginess and problems. So it’s like iPhone took away it’s individual user equals device, it’s one to one. And it feels like the Mac is the same way, but the iCloud has evolved to where it’s your Apple identity is very much, you can move it around, you get two factor authentication. But you do not really have that on the Mac, it hasn’t reached down to do that. And in fact, if you look at the iOS device, you sign into iCloud then that really is your identity on your device and that’s very transferable, but that’s not true… it is a little bit true, you sign into iCloud in system preferences, but it’s not your user password.
Marcus Ransom:
The thing that works really well that I’ve found in iOS is the idea of having multiple identities. So it’s not like the old binding to active directory model, where that’s your identity, you use that to sign into the account and use that through Kerberos or whatever to access everything. The idea on in iOS where you have your passcode to get in and out of the device, that’s a secret between you and the device and effectively nobody else. You sign in with your Apple ID to your Apple services. You can sign in with Okta to Okta services.
Marcus Ransom:
You can sign in with as Azure to Azure services. You can sign into Google and they can either be separate, or they can be federated and for me that was a real key. As soon as you decouple the user account from that identity, things get a lot better. And then the idea as both of you have discovered of having a tool that then synchronizes that, so there’s one fewer password to remember. But not pretending for a moment that that account is going to exist on whatever Mac you then happen to sign into like a network home director, or a portable home directory or mobile account, or any of these awful curse words that we’ve all had to deal with.
Tom Bridge:
Yeah. I was going to say we got to watch out for the language on that Marcus, anytime we mention portable home directories I’m sure the FCC might get involved.
Joel Rennich:
And we all have to drink one or the other.
Tom Bridge:
Oh, man, and I don’t think I have enough whiskey for that. I was going to say if you’re a new Mac Admin and you’ve never heard of portable home directories, don’t Google it and just run away.
Joel Rennich:
Did anybody use home on a iPod?
Tim Perfitt:
I did. I tried that out for about five minutes.
Tom Bridge:
People would actually do that?
Joel Rennich:
It was a real thing. FireWire iPod, it was fast at the time, and you could carry around your entire home directory on your iPod. I want to say iPad. It’s been so long since the pod was a thing. Four documents in a QuickTime MP3 of the Barenaked Ladies that came on the installation CD.
Tim Perfitt:
Well, I think at least the current OS or the next version it allows you to store your desktop and your documents on iCloud and synchronize between your Macs. So it’s almost like you’re tiptoeing back into the-
Joel Rennich:
Are you using that?
Tim Perfitt:
No. Oh God no, no.
Marcus Ransom:
So where I’ve seen that really goes spectacularly well, is where organizations decide that they want to let the user synchronize that with iCloud. But then they’re going to use known folder redirect with OneDrive to also synchronize it, and it becomes self-aware very quickly.
Joel Rennich:
Yeah. That’s crossing streams.
Tim Perfitt:
Well, let me explain my reaction so isn’t so much like it’s a bad idea. But literally, the two places that are chaos and packed with stuff that just shouldn’t be synchronized to the cloud is my desktop and my documents folder. My documents projects is where I put all of XCode projects. And my desktop is where I work on the current, so it’s a complete multi-layered mess and I don’t want that synchronized.
Joel Rennich:
I accidentally turned it on and it hasn’t been awful. There’s been one or two times where it’s actually been relatively helpful when I was on a different machine. Maybe I was on my wife’s iMac or something like that looking for a file, and then I was able to kind of get to it through all this stuff. But I otherwise just back everything up to a Git repo.
Marcus Ransom:
It doesn’t scale in an organizational framework is the way I would describe it. Once again, it’s fantastic if you want to make sure that you’ve got a copy of those documents. But trying to then manage that from a security point of view, to make sure privileged information doesn’t find its way up there, because Apple does a really good job of making sure you can’t inspect that data as it’s leaving the machine, which is great for my personal information. I don’t want Azure here in Australia being able to see that. If it was work information, I’m sure my employer would have a very different opinion on their lack of an ability to be able to control that. So really, getting back to where we started that idea of not trying to tie in identity to owning everything on your device, and being able to pick and choose and have that flexibility and control over what you-
Tim Perfitt:
Well, you just described FIDO, right?
Marcus Ransom:
… how you identify yourself to what. Exactly.
Tim Perfitt:
That’s what FIDO does. If I take it all the way back, it’s the idea is that you don’t have one core identity, but rather you generate a key for each website that you go to and have that synchronized between your devices.
Tom Bridge:
Deploying, managing, and protecting Apple devices at work shouldn’t be difficult to require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy, and security, single sign-on and enhanced apps management into a single Apple only platform, businesses can now easily and automatically deploy, manage and protect their Apple devices with one solution and at an affordable price. With a solution for every business size and the best support in the market, request your free account today and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more visit business.mosyle.com. That’s business.M-O-S-Y-L-E.com. Well, let’s pause here for a second and ask an important question. And we’ve just described the state of Apple’s identity system as it currently stands. And so my questions for each Joel and Tim is do you think that what we have right now is good or bad overall?
Joel Rennich:
I’ll Tim go first.
Tim Perfitt:
I think that it’s an evolving ecosystem and there is… The Mac has been and is consumer device as well as-
Tom Bridge:
Sure.
Tim Perfitt:
… iOS fits into business, and they have done very well for what that focus is. Does it have ways that it could be more enterprise friendly, maybe installing XCreds onto your Mac to make it have a bit more cloud centric login, yes. And Apple provides the opportunities to do that, so that’s what I’ll say.
Joel Rennich:
I won’t disagree with Tim, but I will say something not quite contrarian, but at least in a different vein. In that I do believe that Apple’s got an opportunity here to forge a new way forward. If you look at so the dawn of the earth happened, apes turned into people and then we created Unix. And shortly thereafter, we found out that people were stealing each other’s crap on a shared system. And so they created a password file and the password started off as plain text, which the text file had plain text in it. And then you would hash that, if Charles was here today, he would give us 3,300 years of history of hashed password files. And he ran into Yellow Pages when then Sun got sued and it turned into NIS or whatever else. But fundamentally, at the beginning of when we first think of security or a password on a machine, it was being hashed and then checked against a local file that had a hash value of your password.
Joel Rennich:
90% of the Macs in this world today do that exact same operation 50 years later. I’m probably being a little bit overly inclusive of these things, but at the end of the day you’re still going up to your machine the first time you sign in… Now FileVault, everything, puts a lot different into this. But when you’re at the login window and you’re authenticating as a user at the login window, you’re typing in a password, that password is being hashed. It’s a much better hashing algorithm, it’s not just rock13 or whatever it was originally, and PBKDF whatever long string of letters. So it’s a really good way of doing this. But it’s effectively, you’re taking a hash password and you’re checking against the local value.
Joel Rennich:
That seems like it’s been a very long time that we’ve been operating under that same assumption. Whereas Tim just brought up FIDO keys, that’s in a whole new world, that’s actually a PKI operation. You’re doing private keys, you’re doing crypto, you’re doing some really cool stuff, that’s a lot more than just can you take a plain text that equals this hashed thing. And that’s where I think we’ve got an opportunity. Microsoft I think has done some really good work here in how they’ve glued Azure in your Azure credentials into logging into Windows Hello, specifically Windows Hello for Business. I think they put a lot of thought into that. It so happens that Apple doesn’t have a cloud identity provider. And if you’re not using Azure, Windows Hello for Business is not as functional for you. It is very locked into an Azure frame of mind, but I think they’ve done some really good work about thinking about how can a key pair allow you into a system.
Joel Rennich:
And just this kind of basic thing in that you can have multiple ways of authenticating. On the Mac right now and this is maybe the biggest thing that I’d like to see maybe changed or have control over. Right now you’ve got one option, maybe two options. One you can do some active directory Kerberos authentication, exciting, not really. Apologies, I know I did a lot to promote that 20 years ago, but it has been 20 years. Every time we bring this up, I will apologize for that, again, time changes. It was a great idea at the time, but we’ve now moved on to different things. So you can sign in from a network perspective, there’s still LDAP functionality built into the Mac, that’s I don’t know too many people using that, but you’ve got the active directory plugin.
Joel Rennich:
So you’ve got a couple of ways of doing network authentication, even though Apple themselves are now saying, “Hey, maybe focus on the local side more than the network side.” All right. So if you don’t do network and you do local, you’re again back to this same very basic operation. Type in a password and then that password is hashed compared against a plain text file it’s not, well, it’s in the open directory, local storage, and then that determines whether you can sign it or not. Now there’s some really exciting things that Apple’s glued around that with your key chain opening up, with maybe opening up some iCloud connectivity and other stuff just based upon you signing in that way, which is great. But again, still at the end of the day, we’re still the same basic operation to authenticate a user.
Joel Rennich:
And on the Mac, if you don’t go to this network through LDAP or Kerberos, you are very focused on a single way of authenticating that user. Apple cheats, maybe not cheats, they wrote the operating system, it’s not really cheating. So you can sign in on subsequent times with touch ID. And again, that’s a nice modern crypto operation. But again for the actual user account itself and this is where Tim’s put a lot of good work into Xcreds, and is doing some cool things to login window there. But Tim correct me if I’m wrong, you’re still limited by the fact that to sign into the Mac at the login window, you’ve effectively got a pass in a password somehow for the Mac to authenticate you.
Tim Perfitt:
Right to unlock the keychain and also for the other security mechanisms. But I will say that if you read the tea leaves a bit, what you just said, when you boot up the Mac you can’t use your biometric. You also can’t use your biometric as a second factor and that’s true on iOS as well, you reboot it, you put in your passcode. In fact, when you migrate a device it asks you for the passcode of your prior device because that’s what stuff is encrypted.
Tim Perfitt:
And you try to put in 1234, and it gets mad at you saying you really want to do that, that’s not an accident. I cannot believe that’s an accident. Because you could use your biometric. You could use face ID at startup, in fact Windows Hello does that. I can reboot my son’s PC and just log in. You can’t do that on iOS. You cannot use your touch ID on the Mac. It’s not a technical limitation, it’s a security decision to be made on it. So when you say Apple has an opportunity to do that, it’s that tension between the consumer side and the… And maybe it is, actually I don’t know why can’t you use touch ID when you reboot your Mac?
Joel Rennich:
Great question.
Tom Bridge:
It’s a philosophy choice. It’s a philosophy choice. It’s not a secure a procedural choice, it’s not anything else like that. It’s just what they’ve chosen to do.
Joel Rennich:
I would agree with that. If you look at these passwordless flows at the login window and I’m guilty of this as others, I’ve written software to do this. Tim you’ve helped with some of that software, so you know exactly what I’m talking about. There’s this dream of my face is my password in the Windows Hello flow or touch ID. I’m okay with putting in some sort of non passwordless… an actual password sometimes. But I would like the concept of my identity, my user record on my device is not just limited to a hash password, and I get that this is complicated. What I’d really like to do is especially working at a place that’s cloud directory and things like that, I would love to have multiple ways of unlocking that same account. And even if the first time or when you reboot from a cold boot, you still have got to use a password. I’m very fine with that and I agree with you. I think that’s a good security choice.
Joel Rennich:
If you look at some of the passwordless flows that are out there, Microsoft’s put a lot of work into ensuring you’ve got proximity next to your machine. You don’t want to have a situation where you can just get spammed with push notifications, and you accidentally hit one and suddenly your machine isn’t your machine anymore. Or even worse and I think Apple is very cognizant, even though they wouldn’t really say this much out loud of ensuring your device cannot be forcibly opened by people who aren’t yourself.
Joel Rennich:
If you’re able to get into your machine, just with touch ID from the very beginning, I think it has some interesting legal ramifications of can you be forced to offer your finger, to anybody legally got possession of your device and is trying to get something off of it, as opposed to giving them a password, which is something you would have to tell them or something else like that. So that’s where I think you’ve got a much different angle on what you do when the machine first boots up. But again, all of that is I’d love to have ways to identify an individual user in multiple flows, ideally cryptography PKI based that isn’t just a password.
Tim Perfitt:
So pull in the smart card piece. And we did some work on this too if you’ll remember that you could actually authenticate without a password, but it still would prompt you for pin and you could put whatever you want in there or just hit return. It was secure, but it was very much required some input to be able to do that, which was I don’t know for me telling that it did very much is based on user input. And as somebody that’s had to enter in my generated password for Microsoft into an Xbox 360 with the remote control, that’s insane, that’s insane. You cannot say use a password manager and they require people to type it in an Apple TV remote, that’s just-
Marcus Ransom:
I was going to say that’s the benchmark for me is the original Apple TV remote the worst possible…
Joel Rennich:
But you can dictate it.
Marcus Ransom:
We can use them as FIDO keys. There we go, you can use your Apple TV remote to get into your Mac, problem solved.
Joel Rennich:
You can dictate your password to your remote though, so your neighbors will know your password.
Tom Bridge:
Yeah. Uh-huh.
Tim Perfitt:
That’s super secure. Why don’t we all dictate our password to the login window, that’d be great.
Joel Rennich:
My voice is my password, OS9, we beat.
Marcus Ransom:
I totally get it that Apple has done this for security and their approach to security means that you need to have interaction. But the number of discussions I have with customers around using all of the identity login solutions, where they all work beautifully, but FileVault. And most users don’t understand the difference between logging out of their machine and shutting down and where you explain, and you’ve got the flow chart and you explain how it all works. And you just know that, oh, just log out of your machine… No, that’s a shutdown. Aren’t they the same? Well, as it turns out… and I think that’s the challenge. But it’s also why I would love to see the metrics on how many consumers on their machine have auto login enabled, would love to know how many have that.
Joel Rennich:
There can’t be that many left anymore.
Tim Perfitt:
Well, that used to be the default, right?
Marcus Ransom:
How many people have natural scrolling turned off and those sorts of things. It was interesting when I was listening to the recording of your previous episode and Tim hearing you talk about how, because you don’t need to sign into a Mac with cloud identity or provision accounts with cloud identity that was something that you hadn’t thought of as being a problem, yet for the market out there that’s a really big problem provisioning and creating those accounts. And I’m fascinated to know whether FileVault… because I see that with FileVault, where it even comes down to person who has forgotten their password, they’ve restarted their machine.
Marcus Ransom:
Because that’s how you fix every problem on a computer is turn it off and on again, they’re now at the FileVault window. Help desk is resetting their cloud identity password multiple times to the point where nobody knows what it used to be. And we know that it’s their FileVault recovery key is what they need to use to get in, but they don’t. And how do we bridge that gap between us knowing technically and logistically how this works and a bit like true north, the users how they perceive emotionally this should work, where they think that the machine should have a network connection at the FileVault screen, because that way that’s how it would work. We know why it doesn’t.
Tim Perfitt:
Let’s look for look a model that does work. This one I always come back to, it’s been around for dozens of years, it’s your cell phone, your SIM card that you paid money. When’s the last time you had to log into your phone to get T-Mobile or Verizon or AT&T to work. You just put the SIM in and there is SIM hijacking, but it’s not where it’s stealing your account, it’s getting the notification for your number. So that’s like it’s a smart card embedded inside the device, which is your identity and that’s what we tried to get with smart card.
Marcus Ransom:
And that does have a network connection that has multiple layers of security around it, absolutely.
Joel Rennich:
I’m a person, not a number Tim.
Tom Bridge:
Tell that to T-mobile.
Tim Perfitt:
You abstract Joel far enough, you get a number.
Joel Rennich:
Ooh.
Tom Bridge:
Just hash it all the way down, there’ll be some numbers in there somewhere.
Marcus Ransom:
Too many special characters, I think.
Tim Perfitt:
So that goes back to what we were talking about last time, it’s like what identity is where you went to school and where you currently reside, all the questions you get when you sign into the government websites. We’re talking about the social security administration to go in and be able to prove who you are, who really is Joel. I want to know who Joel really is.
Joel Rennich:
So do I, every day when I wake up I ask that question, existential.
Tim Perfitt:
You’re not a number Joel-
Tom Bridge:
What do I want to be when I grow up?
Tim Perfitt:
… so who are you? If you’re not a number, got to tell us who you are.
Tom Bridge:
That’s right. I think that there’s a lot that we’ve just talked about that are a bunch of different approaches. So let’s anoint you crowned prince of identity for the day. Which of these approaches do you think are the best as it stands right now, versus which do you’d rather have go away? If you get to make those calls for once, you’re the product manager for security at Apple, or you’re the product manager for security at Microsoft, how do you approach identity on the desktop differently than what we see right now or how do you do it the same?
Tim Perfitt:
Let me go first.
Joel Rennich:
I’ll take my answer off the air.
Tim Perfitt:
First time caller, long time listener. I will say let me answer it in a way that the things that I’ve seen that I really like, and Joel’s touched on one of them is Microsoft. When you set up a new PC and you sign in with your Microsoft account, it sends a text or a push to your Microsoft authenticator and you say yes, and it provisions your account logs in. I didn’t enter a password, that is fricking magic right there, which I think is wonderful. Another one-
Tom Bridge:
The new intra flows are very much the same way. They’re very fascinating. You can even end up to a state where there is no password for that account anymore.
Tim Perfitt:
Well, look at when you transfer a phone, your iPhone to another iPhone, you have that weird cosmos thing, you hold it up and it has some steps to go through. But that’s slick to be able to transfer all your data and all your credentials and be able to do that, and you’re not having to type in their passwords to be able to do it. And I think the commonality is you already have… Another thing is that you sign in somewhere it says on your other device this person’s trying to sign into your account, and so you can approve it or not. And that’s a great way to know from all your devices, it’s not just one, all of them. Even if somebody’s taken one of your devices, all of a sudden, all of them are ringing, it’s this way that’s like a hive mind of all your devices and I think that works really well.
Tim Perfitt:
And Joel and I have talked a lot about this is that everyone has a phone, this is the turning around. If you have a smart card, you forget it, you get a temporary one, you get your temporary badge whatever. You forget your phone, you turn around and go back because you can’t be in your day without the phone. It’s not like you get a temporary phone because your whole life is there. And being able to have something that is known to be yours as your true identity, that can prove that you’re that person, I think that’s really what it comes down to. Whether that’s a smart card or your phone, or if it’s a fob or something like that to where you… so it’s something you have, and it’s something you know, and it’s something you are, that I think works really well.
Tim Perfitt:
It can be very seamless and it’s the edge cases that kill you. It’s the FileVault at first startup, it’s the Xbox login, it’s like, “Oh, that crap.” It’s just like, it falls of, what do you do? App passwords, right? It’s like, I used to SSH in the GitHub or maybe it was bitbug, whatever. And it’s like, “We don’t allow API keys. You have to do per app passwords now.” And Apple did that too with per app passwords. You have to generate a password then they can use it on somewhere else. It’s like this tedious really difficult process to use these legacy systems. And so it really has got to come down to something that’s secure that defines who you are.
Joel Rennich:
I have to use GitHub Desktop for all of my git pushes now because XCode can’t figure out the GitHub per app password token, whatever I’ve set up for that account. And so I have to work in XCode commit locally and then move over to GitHub desktop and push. If I ever learned how to use GI from the command line, maybe I would do that instead. But yes, it has become a morass between all of these one time passwords and things like that. I was looking at this today. I opened up, I’ve got the Google authenticator on my phone. I like that because you can synchronize it in the cloud, which you’re not supposed to necessarily be able to do a TOTP but it’s great that I can, because when I change phones life’s a lot easier. So personally, I’ve very much bought into the iCloud ecosystem for backing up all of the pieces and I find that very good.
Joel Rennich:
And let me be very clear from a consumer standpoint, I think that’s fantastic. And I like this idea, just like you’re talking about Tim, that I can sign into a new Mac, create a new account, whatever, put my username password in there, but then I can bootstrap the whole rest of my life by picking up my phone that’s already in the circle of trust in my iCloud account, and using that to then sign into that Mac, or at least get iCloud signed in on that Mac. I still got to put on my iCloud password, which I always forget because I only use it once every year when I get a new machine or something like that. But then I get the three digit or the six digit code, whatever it is on my phone, and I remember my pin from my phone and then the rest just comes up, and then I’ve got another year to forget that iCloud password.
Joel Rennich:
So that I think is really good, but we don’t have a lot of those options in the organizational, the institutional perspective. All of those things are shut off or as what Marcus you were alluding to, you’ve got to let your users buy into that Apple ecosystem and hold your eyes, close your ears, whatever it is that you do about all of your corporate institutional data going into third parties, that you don’t have SLAs with, you don’t have GDPR agreements, you don’t have all these other things with and that’s problematic there. So the ability to have-
Marcus Ransom:
Or you try and solve it with DLP, which is never a good thing.
Joel Rennich:
And then your users hate you.
Tom Bridge:
Well-
Marcus Ransom:
You hate yourself as well.
Tom Bridge:
… yes.
Joel Rennich:
And you hate yourself for your users hating you. Absolutely. It’s a no win situation there. And I also very much agree with Tim that I do think Windows Hello, specifically Windows Hello for Business, they put a lot of effort into. I’m not super excited about the webcam thing. I think that’s a little bit, and I know I use that every day on my phone, but face ID seems better than a little 720p webcam.
Tom Bridge:
The dock grid generator feels like a better solution by far.
Tim Perfitt:
Well, hold on, hold on. No, no, I’m going to interrupt here. I had to go out and buy a high end camera that has IR for Windows Hello to work on my son’s PC. So I don’t know if Joel if you’re just using on the surface or whatever, but the surface has that built in. But if you just go and buy a $40 webcam, it won’t work. You have to buy the $129, whatever to be able afford it because it has to have IR, because it does depth perception as well.
Joel Rennich:
My surface with Alcantara wrist pads.
Tom Bridge:
Fabric wrist pads, yes.
Joel Rennich:
Fabric wrist pads has that. So maybe the webcam on this is nicer than it is, and you’re saying I shouldn’t be dismissive of the webcam on the surface.
Tim Perfitt:
Only from my experience, I thought I could buy a cheap one and you have to buy [inaudible 00:37:32] for Windows Hello, and it’s because I believe IR is included into it and it’s 119. The guy had at Micro Center was like, “Why are you spending so much on a webcam, these other ones are so much cheaper and you don’t really need 8K. This is even 8K, this is 4K.” I’m like, “No, shut up, give me the camera. Unlock the case.” It was like one of those locked cases you had to slide it to open it.
Tom Bridge:
Oh, God.
Joel Rennich:
Did you tell him it was for your only fans account, that extra 4K means a lot.
Tim Perfitt:
That’s right. That’s right.
Tom Bridge:
I’m never going to be able to unhear that and I feel like that’s okay.
Joel Rennich:
Well, no, nevermind, I’ll leave that alone. So I do think that flow is good. I am very interested in, we intend on building this I think, it’s got to take a little bit of work. But I like the concept of that bootstrapping, the idea that I could walk up to a machine that I haven’t used before and by having something I already have in my possession, having something I already have biometrics with, then get into that brand new thing. And that would allow me to put in a new password, pin code, whatever it is that I need for that new device, that idea is very intriguing to me.
Joel Rennich:
And I think some places have started to doing it reasonably well, I think Apple’s done that fairly well, but you’ve got to get into that. And you’ve frankly got to buy into that whole ecosystem of that flow. And I have enough iOS devices that I feel pretty confident that if I lost all of my daily drivers, I could find something in a drawer that would after some charging would boot up and would get me into my iCloud circle of trust, and get me back to my goodies without having to ever call anybody or somehow prove I am who I am.
Marcus Ransom:
Do you think that’s been facilitated by the fact that iOS is a almost entirely single user device and doesn’t have the concept of logging in and logging out. So because the passcode is removed from that scenario, you can then focus on storing all of those secrets somewhere and using them where they need to be used.
Joel Rennich:
Sure. I don’t think you’re off base there at all. In the grand scheme of things, iOS is a very young operating system and they threw a lot of things out. They could start from scratch, they could do a lot of cool stuff with it.
Marcus Ransom:
It’s never had a net info database too.
Joel Rennich:
Never had a net info database. Absolutely not. It’s never had to integrate with LDAP, it’s never had to do any of that. So I think they had a lot of flexibility there. I also think they made some very smart decisions early on. Although, the full description didn’t come until the 3GS, is that correct? Again if Charles was here he would correct us.
Marcus Ransom:
I think it might have been a little later than that.
Joel Rennich:
So it was either on the 3GS or the four, which was then-
Tom Bridge:
I think it was the first touch sensor, right? No, no, no, no, it was the four. Because that was where we got the first disc encryption.
Joel Rennich:
Absolutely. And that was really cool. This was a decade before it came out on the Mac to this level of pervasiveness, in that as soon as you took the device out of the box it was already encrypted. I remember when I was at Apple we’d get into these things about, “Well, is it encrypted?” Well, it’s always encrypted. Well, but I don’t need a pin to get into it. Well yes, because everybody complained back in the day, you didn’t even need a pin to get into your iPhone. What a concept. You could run it without a passcode, those innocent days of all kinds of things, before we knew all the stuff.
Joel Rennich:
So absolutely on iOS I think, both because of the security factor, the form factor, the tight cohesion between just like we were talking about the webcams. Apple doesn’t have to worry about what webcams in an iPhone. They know that they’ve got the right sensors for face ID. You don’t have to go down to Compucenter and get the guy to unlock the cabinet for you. So that’s great stuff and that does give a lot of stuff and it is not a multi-user system. Absolutely Marcus, that complicates everything where you’ve got to handle multiple users. You go back to your Mac, who’s got a Mac with multiple fingers and touch ID.
Tim Perfitt:
Every relative of mine has my touch ID on it that I manage their computers because I’m tired of [inaudible 00:42:10]. And it’s not because I’m a grand hacker because I ask them their password, do you know what they say? I don’t what my password is.
Tom Bridge:
Yep. I don’t have one is the best answer to that.
Joel Rennich:
And then I’m going to put my finger on your laptop.
Tim Perfitt:
So I put my face ID on every phone that my mother-in-law whatever, and everyone who has a computer. And then I tell them and they can remove it, it’s an opt out system, not an opt in system.
Tom Bridge:
That’s genius. This week’s episode of the Mac Admins Podcast is brought to you by Black Glove. Black Glove is about to be your new favorite IT partner, they provide ongoing expert support and rapid deployment services for your current new or refreshed Apple fleets. But what they’re really providing is complete peace of mind that your technology is safe, secure, and operating at its full potential. So no more quick and expensive calls to the geek squad or Apple support, Black Gloves, strategies and fixes are from the hands and minds of former Apple engineers. So not only is the expertise of this team unmatched, but their services are affordable and easy to get started too. Fortune 500 companies and small budding businesses alike are working with Black Glove to ensure their Apple technology is doing exactly what they need it to. Whether it’s helping manage your remote teams, devices transitioning your device management system, onboarding new employees or casing tagging and tracking your devices, Black Glove can handle it all.
Tom Bridge:
They’re also just really great people to work with. In fact, mention this podcast when you reach out to them and the Black Glove team will sponsor the next generation of Mac Admins through our Mac Admins Foundation. You can learn more and get started@blackglove.com. That’s B-L-A-C-K-G-L-O-V-E.com. And while you’re at it, ask them why they’re called Black Glove. It’s a clever nod to how white glove services just don’t cut it for it. Well, speaking of systems like this, opt in, opt out, those kind of things. I feel like we’ve talked about some different approaches that we like, we don’t like. What do you think Apple’s doing to help or hinder progress in this regard?
Joel Rennich:
I think Apple’s I hope, well, no, we know this, we’ve seen bits and pieces about this. And I don’t mean to be overly critical mostly because I’m interested in some new stuff coming, so we can write new login window mechanisms and things like that to do other cool stuff. But some cool advances that have happened recently, you’ve got obviously the touch ID in all the devices, so that’s fantastic, that makes everything a lot easier the second time around. That’s great.
Tom Bridge:
On little buttons that-
Joel Rennich:
And on wireless keyboards. Absolutely.
Marcus Ransom:
I adore my touch ID on my keyboard. I would just love to have a touch ID sensor that I can then use with whatever keyboard I choose to use or anything like that.
Tom Bridge:
It would be pretty rad if it was just the touch ID button all by itself. I’m down with that. I don’t care what it costs. Does it cost the same as this keyboard? Done. Will pay for it.
Marcus Ransom:
I’ve been wondering I have a European keyboard that I was sent by mistake when I started here, and couldn’t understand why I wasn’t able to sign into any of my accounts, that’s because all of the special characters were in the wrong place. And it’s like, “Okay, can I deconstruct this just to get the touch ID sensor on its own for science.”
Joel Rennich:
Can’t you just set the keyboard mapping over?
Tom Bridge:
Well, friend of the podcast Jason Snell has done exactly that because he is a huge mechanical keyboard dude. He has many, many mechanical keyboards. I think he’s working on right now a 70 or 60% size keyboard that he’s done. But what he did was he took apart the extended keyboard, the magic keyboard with the touch ID sensor, extracted all the electronics and it fits in a fairly small container. It’s not a very large logic board inside the keyboard, and he just has this and the touch ID sensor, and he’s put it on a little box about this size that goes underneath his desk. And so he can just do the touch ID with them.
Joel Rennich:
Like your secret alarm at the bank.
Tom Bridge:
Correct.
Tim Perfitt:
To use a laptop.
Marcus Ransom:
I use a laptop but the laptop’s over there, not here.
Tim Perfitt:
Oh I’m sorry, would you have to reach your arm over?
Marcus Ransom:
It’s not worth my professional time to move.
Tom Bridge:
I use a laptop, but I use a laptop with two displays and the laptop is shut all the time. And so I have two-
Joel Rennich:
Fair.
Tom Bridge:
… 27 inch displays here and here, and my laptop is shut beneath it.
Tim Perfitt:
I love the security. I’ll give how I’m less secure, but I’m enjoying life more is I got in a machine that didn’t have touch ID, didn’t have face ID, it was an iMac. And I went to these webpages and it was filling in the password for me and I would just hit return. I’m like, “What’s going on here?” And I realize you can turn off touch ID just for the wowzer for the password. So on my primary machine, which I always close and lock, it just fills it in for me. So instead of 50 times a day touching my touch ID, it just fills it in for me, it’s like I’m living in the late ’90s, it’s great.
Tom Bridge:
That’s phenomenal.
Joel Rennich:
I will say that we have an iMac upstairs. And when I use that and I don’t have to hit touch ID for the password fill in in Safari, it is nice, which sounds bad. I shouldn’t say that out loud. On the flip side my mom she’s over 80, she had an old iMac she’d been complaining about it for a while. So she got one of the brand new, well, they’re not brand new anymore, but the M1 iMacs, when they first came out in sea green, it was gorgeous. Every day that she would call me up for six months afterwards, she was like, “And I just touch the keyboard, and I don’t have to fill in my password, it’s fantastic.” So yes, touch ID on those keyboards is magical for folks, I don’t disagree with that. And that’s a huge thing because as we all know having a password manager allows you to ideally have individual passwords for each website, each service that you’re going to. And then that makes you much more secure in the general scheme of things, so that’s all great. What was the question, Tom?
Tom Bridge:
I think the question really… as with everything I feel like we take a trip here. And I think that really what’s Apple doing to help or hinder the perfect identity in your eye.
Tim Perfitt:
Well, let me jump in here because I think the hinder, I think Apple does a great job with their ecosystem with iCloud. But then when you have Managed Apple IDs, it’s very much just you have to have just the pieces right to be able to do it. They don’t approach it from, “We’re going to add this feature to unlock FileVault. How do we make this an open API or mechanism where anybody can use I. But rather let’s do a first class way that Apple can do it, and then as customers want it we’ll add stuff in maybe in years in the future.”
Tim Perfitt:
So that’s one of the things that being able to approach it from a there’s many different audiences to serve and they don’t really approach it that way, it’s more like how do we make it best in breed for our ecosystem? And if you don’t fall into that, it gets frustrating and you end up having products like Xcreds, which allows you to log in with your cloud password right from the login window of your Mac and keep her synchronized. I’m doing these little call outs here, so be able to do we also have a merch store. You could do your merch store too.
Joel Rennich:
I have a Twocanoes coffee mug. The coffee tastes great.
Tim Perfitt:
Thank you. Thank you. It makes you code better. I don’t know why.
Joel Rennich:
Absolutely. I write two lines more code per hour when I use my Twocanoes.
Tim Perfitt:
Thank you.
Joel Rennich:
There you go.
Tom Bridge:
1% better every day right Joel.
Joel Rennich:
1% better every day. Absolutely. Thank you Tom. So I do think and this is maybe relevant of a follow on pod, but the passkeys. So Google and Apple have both been doing a lot of really interesting things in the passkey space. Passkey we touched upon this in the last episode, we didn’t get too much into them, but it’s the new word FIDO keys that can synchronize, which is against the original mandate of FIDO keys, but we’ll set that aside for now. And it’s a great inroad into the consumer space for keeping passwords out of there. There’s a great security podcast out there called Security. Cryptography. Whatever. that if you are at all security conscious you should definitely listen to it. Doesn’t come out very often, not like this podcast. So you don’t have to spend a lot of time on it and some podcasts, except when Mr. McNeil comes on this one, I play it one and a half speed.
Joel Rennich:
That one you got to play at one speed because they just get really deep really quickly. But there’s a great conversation they had with somebody from Google about passkeys keys. And I think we should get them onto this podcast and talk specifically around the Mac and how it works. So some really great stuff there that I think Apple is helping to pave a brighter better future for consumers and for passwords with all of these places. Because even if you have iCloud, show of hands how many times has iCloud messed up or iCloud Keychain I should say, messed up putting up a password on a webpage, it is by no means infallible. And hopefully with passkeys, that gets a lot better as we go forward. So I think that’s some really cool stuff that Apple’s laying out is kind of a future progression. There’s some interesting ramifications on again the organizational side and how you would use these, that they’ve specifically made some decisions on, but passkeys are cool, more people should use them.
Tim Perfitt:
Well, that goes back to the point where iCloud is definitely the first class citizen. Did they provide APIs for Dropbox to hook in, for enterprise to hook in, it wasn’t discussed and it wasn’t they want to make it best of breed for iCloud first and then see what happens later on. Whereas other vendors or other projects may be like, “Oh, this is open, you can point it at whatever database you want. It’s open to be able to put it on a hardware device, on a cloud device, an API, and we just happen to have this one implementation, which is open source.” That’s not the way that Apple operates. Apple’s going to make it seamless so everyone doesn’t even know that it’s there and it’s just happening.
Joel Rennich:
Absolutely. Agreed with that.
Marcus Ransom:
One of the challenges is communication where Apple presents this amazing security, and organizations who are wanting to implement more and more Apple technology also want security. So they get excited about the security and then they find that some of these security ventures don’t work with Managed Apple IDs, which are the Apple IDs that are designed for the organizations. And the efficiencies of being able to use the whole Apple ecosystem for work and all that is a challenge because it’s gated out. And the communication is not there because we want people to get excited about things and talk about the positives and the benefits, not about the challenges and the issues that you may have with implementation. But that then often falls back to partners of Apple to talk about where maybe this isn’t a solution that’s appropriate for you at the moment. And we wait until we can then synchronize those passkeys to a file maker database sitting on a Mac mini in the tea room or something like that.
Joel Rennich:
Whatever you want to do Marcus. I’m not going to get in between you and your FileMaker databases.
Marcus Ransom:
That’s enterprise grade, isn’t it?
Joel Rennich:
Well, 12 or 14.
Marcus Ransom:
From a certain point of view.
Joel Rennich:
What’s the latest version of FileMaker. I don’t even know.
Tom Bridge:
18, I think.
Joel Rennich:
18.
Tom Bridge:
Yeah.
Joel Rennich:
Wow. Bento still around?
Tom Bridge:
No, sadly Bento was sunset.
Joel Rennich:
Oh wow. All right. There you go. So yes, the good response to that is Apple’s doing better than they ever have on the security guides. Previously, what you were talking about it also involved a level of trust. And I remember this because when I worked At Apple, Tim was with me. We would have to go to customers and we have to say, “Hey, FileVault works this way.” And they were like, “Well, says who?” And we’re like, “Well, we say because we’re Apple.” And they’re like, “Well, how do we prove that?” And you’re like, “Well you got to trust us.” And that wasn’t always the best way to win hearts and minds of, especially, Windows focused security or IT staff. So the fact that Apple’s doing so much more work on the security guides, the validations and certifications of doing that’s huge. Because it doe I think give Apple a very good opportunity to shine on the very good security things that they’re doing.
Tim Perfitt:
And we actually have to give Apple credit for the amount of court cases that happen, subpoenas, being able to encrypt end-to-end where they don’t even have access to it. So a lot of times it’s like the government will say, “Present this.” And they’re like, “We can’t, it’s just a bunch of garbage. We can’t do it.”
Marcus Ransom:
“We’ve built this to be secure, properly secure.”
Tim Perfitt:
And we’re just seeing other end-to-ends come in and a lot of it’s because one they try to monetize it. And two, they don’t actually believe in that kind of thing to be able to lock themselves out of it. Whereas Apple full throated will go into that and say, “We don’t even want to have access to your stuff.”
Tom Bridge:
They’ll take video of them blending the master keys, which I think they famously did with the iMessage, the root keys, which is-
Tim Perfitt:
I think they bury OS 9 too in a coffin.
Marcus Ransom:
Certainly, the trajectory of Apple and security is really exciting. We keep saying we keep picking things apart that are not there yet, or things that we may feel differently to the way they are. But I think you’re absolutely right. You talk about the security documentation that it’s all there easily accessible, regularly updated, communicated beautifully in that documentation, even if sometimes… Is there one person who understands every single concept that’s in that guide? I’m guessing Sean Reagan does.
Tom Bridge:
Mm-hmm.
Marcus Ransom:
Yeah. So we’re saying when we look at what we used to have, where it was in Australian terminology all about the vibe, it’s like, “Yeah. It’s fine. It’s okay. Just trust it, it’ll be okay.” Whereas we are seeing amazing security really awesome implementations, and we’re seeing every year or every six months it start to stack up more and more and more. So I certainly don’t feel like we’re fighting a losing battle or we’re questioning why we’re even trying. It’s definitely, the exciting future all of you are finding because you are creating products that can deal with this.
Tom Bridge:
Well, and speaking of all of that, let’s pause here to talk a little bit about something that Apple announced at WWDC this year and that’s Platform SSO. And this is a place where we’re recording this on August 15th, 2022. They have just now today released the 1.2 test plan and documentation for Platform SSO, out of the AppleSeed defer IT, we still don’t know what it’s going to actually look like when it arrives. We still don’t know exactly when it’s going to arrive, although, I’m assuming it’s during the Ventura cycle, the question is it’s obviously 1300 or 1303 or somewhere in the middle. And I think that this gives us an opportunity to talk about what the future of identity is on Apple platforms. So how do you see Platform SSOs impact, if any, in Ventura so far. And Joel, I think I’ll talk to you because I think you’ve got the most code on any platform for this.
Joel Rennich:
Sure. Sure. No interested to chat about it. So there’s couple things I really like about it. And the first one is, and this is something that Tim and I have seen and what Tim’s done in Xcreds, which is this bifurcation of the local account from the cloud account, and that these two things don’t necessarily have to be the same. And this is another place where I’ll apologize maybe a little bit between NoMAD and some products Jamf worked really hard on creating synchronization schemes, so that your password from cloud, whatever directory you had was synchronized with your local account and I think there’s very much use cases for that.
Joel Rennich:
The winds though are blowing in a very different direction. And if you look at Windows Hello for Business, which we’ve been chatting about a bit on the show so far, it explicitly prohibits your cloud account from being synchronized to your local account. And Microsoft has a very large KBase around why they do this, and a lot of it revolves around the fact that you should not be…If your local account gets compromised, that should not mean a compromise of your cloud account and vice versa. And so by doing this synchronization, you are maybe doing a disservice to security and instead have a really strong local password that you just don’t change, and then have a really strong cloud password and maybe even go passwordless in the cloud.
Joel Rennich:
Since that’s not as we’ve talked about FileVault and everything else super incredibly possible on the local system, don’t even worry about it on the local system. But that bifurcation is really, really interesting to me and I like that. I think there’s some changes that they were hoping was kind of auto magic in Platform SSOE that I don’t know are a 100% there. So that’s where we got to see a little bit more what the final version is. We’re very interested in supporting it as Tom’s already implied, we’re already doing some work around it and excited about the opportunity that that has.
Joel Rennich:
Because I like as much as we’ve been talking about how to make authentication of the login window easier, how to maybe add multiple services into this, I like this idea of bifurcating cloud and local. That way, if you’re SOC managed whatever PCI thing you’ve got to do, and you’ve got some BS requirement to change your password every 90 days, leave that on the cloud. Change that password every 90 days in the cloud, but don’t go through that process on the local device, your users will be happier, they’ll be more productive, everything will be better. Birds will chirp, rainbows will appear by not going through that process.
Joel Rennich:
So I think plus that gets us back a lot more to the consumer model. And again, when you work with Apple instead of fight against it, everybody gets a better experience. And Apple is very clearly going down a very consumer focused path with a lot of the technologies they’re looking at, or if it’s not so much consumer, it’s very much Apple first, Apple being the biggest implementer of it. So if you go with that flow, let the user use touch ID, let the user do whatever FileVault wants to do, let the user do the things that Steve intended on that device, but then get that connection to a cloud service, that I really like.
Joel Rennich:
That’s the Windows Hello for Business model, you create a local pin, that local pin becomes then your back door or whatever it is into that device, and it’s explicitly not synchronizing. So that aspect of Platform SSO, I really, really like, and I think that’s good that we’ve got a tight maybe agreement of the future direction between Apple and Microsoft. Because if those two of agree on the direction is not synchronizing the password, it’s going to be really hard to keep synchronizing the password.
Tom Bridge:
Tim, your thoughts?
Tim Perfitt:
It’s too early to tell at this point and big part is the adoption by the cloud providers to be able to do this, so we’ll see where this goes. And it goes back to that tight ecosystem, Apple is not an identity provider, it’s using other identity providers to fill in that piece, and we’ll have to be able to see how that’s adopted. People don’t think about the Mac first when it comes to cloud identity providers, it doesn’t make a lot of sense to do it that way, so we’ll see.
Tom Bridge:
Well, and so we’ll see that’s the challenges of Platform SSO is that you need both an MDM to deliver the solution that’s provided. There’s code that needs to be delivered by an MDM with an MDM profile, all of those things and who also need the identity provider to understand and tolerate a specific workflow that’s associated with this. And so a lot of MDMs like Jamf and Kandji and a bunch of other great companies that are out there, they’re not in full control of their destiny.
Joel Rennich:
Absolutely.
Marcus Ransom:
That’s absolutely true. The communication around this as well, I think the developers understand what needs to be done, but the admins and the users and the organizations are like… I know we certainly heard, “Oh, Jamf Connect’s been Sherlocked we won’t need XCreds. We won’t need NoMAD. All of this is going away because this tool is going to solve all of that.” And it’s getting released in the betas now, so we can start using this. And the piece that was not communicated effectively to the end users… Because the communication to be fair on Apple wasn’t directed at them at all is, “We’re building this framework for the identity providers to implement, so that the MDM companies can support and deliver it.” There’s a lot of moving pieces that need to go through various betas, go through various testing, personas stories, how are we going to then implement this ourselves before it gets anywhere near the end users? And when it does, it’s going to be fantastic. It’s an amazing opportunity for all of us and all of the products we build and for the users that we support, but we’re not even seeing it yet.
Tom Bridge:
Yeah. I don’t think anybody’s really publicly commented outside of maybe I think Microsoft with some… I think there was a piece from one of their product managers that was like, “We think this is great. We’re really excited we’ll implement this.” But outside of Azure and Microsoft to again have Intune and Azure AD, which is a fully contiguous use case. I don’t think we’ve seen a lot of folks outside of the JumpCloud’s of the world, really take notice. Okta certainly hasn’t publicly commented to my knowledge, neither has OneLogin, neither has I’m trying to think, Ping Identity I don’t believe has commented on this to provide any kind of certainty over, “Hey, we’re taking a look at this. We’re tearing apart the code samples. We’re tinkering with it already.” I don’t think anybody’s really talking about that yet.
Tim Perfitt:
Yeah. How many think cloud providers are there going to be on day one when Ventura releases that have this…
Tom Bridge:
If we’re very good two maybe three.
Joel Rennich:
I think you’re being incredibly optimistic.
Tom Bridge:
Like I said if we’re very good, my actual expectation is one maybe two.
Marcus Ransom:
Do we even know when day one is going to be? Is day one for this going to be Ventura 0.0 or 0.0.1 as it usually ends up being anyway? Or is this going to be for the TOC release because there’s not a lot of time between-
Tom Bridge:
In the spring time.
Marcus Ransom:
… now and then. There’s not a lot of time between now and then to get this into something that you can use in anger or maybe that it will be. Maybe we get to see the beta releases of this and discover that there has been all of this work behind the scenes and we’re all like “This is awesome. Let’s ship it. Let’s start using this.”
Tom Bridge:
I was going to say what more to say probably is we get closer to Ventura’s release date, which honestly this year’s cycle seems to be going fast. I kind of get the feeling this isn’t going to be a November release, but might be early October as opposed to…
Joel Rennich:
They got to fix system preferences.
Tom Bridge:
Oh yeah.
Joel Rennich:
And I know a lot of people have been piling on that lately.
Marcus Ransom:
You mean settings don’t you.
Joel Rennich:
Whatever. Whatever.
Marcus Ransom:
I just think back to the original implementation of the SSO extension, where that got announced in the betas with great fanfare and we all got really excited. And how long did we wait for identity providers to actually work out the best way to implement it and jump on the bandwagon there?
Tom Bridge:
I don’t think anyone has yet really.
Marcus Ransom:
Azure have done a really good job of it.
Tim Perfitt:
Outside of beta. Joel’s counting beta. You can’t count beta Joel.
Joel Rennich:
You can’t count beta. No, no, no Okta.
Tim Perfitt:
Oh, Okta. Okay. I don’t know-
Joel Rennich:
Okta FastPass, even though I don’t think they make a big deal of this. Well, the funny thing is FastPass uses a Kerberos provider, which is explicitly not supported by the Platform SSO. So all the work that Okta has done in their single sign-on extension is irrelevant for a Platform SSO, so they’re going to have to redo their entire piece. And then Microsoft is in preview still, I think I should actually look this up.
Tim Perfitt:
It’s not beta it’s preview sorry. Sorry. I didn’t realize it was preview.
Marcus Ransom:
But they clarified that it is supported. What they’re saying by preview is it’s just not finished yet, but is software ever finished?
Joel Rennich:
That seems like a cop out, it’s been four years-
Marcus Ransom:
But I’ve certainly seen that able to deliver the missing piece where we have mechanisms with Jamf Connect and other tools to be able to use that identity at the login window and for provisioning accounts. We have ways that we can populate with configuration profiles, but in the idea of being able to greatly reduce the number of authentications users have to go through on a device, whether that be in a web browser or applications, Microsoft’s implementation of that extension achieves that. It’s not perfect, but it’s certainly a lot better than not using it because that’s the complaint that you see here.
Joel Rennich:
Webpage updated June 1st, this features in public preview, the preview is provided without a service level agreement and is not recommended for production workloads.
Tom Bridge:
Some features may be unsupported or have constrained capabilities.
Marcus Ransom:
Checks will not be honored.
Joel Rennich:
And I agree with you Marcus I think it works really well. I think it’s a good piece, but their webpage still says don’t use this.
Marcus Ransom:
I’m going on the Penn State Mac Admin session, which was amazing at illustrating how much work they put in.
Joel Rennich:
I understand they’ve recently done a little bit of a PR blitz around this, which is great, because they should get credit for what they’ve done. But the webpage still explicitly states provided without an SLA and isn’t recommended for production. So it’s going to be really hard as an IT professional to square that with your regulators or everything else as you go through there. And the fun thing is have you used it much yet?
Marcus Ransom:
Yeah. Yeah. I’ve I’ve used it. It’s great. It’s not perfect.
Joel Rennich:
How do you change accounts?
Marcus Ransom:
Do you need to change accounts? How many users need to change accounts? It’s the 80/20 rule as well where I certainly don’t use myself as the use case for where everybody uses their machine. In an organization most of the users-
Joel Rennich:
Fair.
Marcus Ransom:
… offer exemptions. Where you have the users where it’s like you have a complex life, this is not going to simplify that for you, it’s just going to create more problems. Great. Don’t use it on that machine. Where you’ve got the users that are like, “Why do I need to put my password in every single time I access whatever vowelless SaaS system we are using today?” It solves that problem. They’re federated. It just works. I’m on a web browser. It doesn’t matter which one of these different SaaS applications I’m moving through, it knows who I am and it just works. And they don’t need to go to their book of passwords or stick post-it notes all over the place. And anything that encourages users who are not maybe as attuned to security as they should be, to be able to just get on with doing their job in a secure way is great.
Joel Rennich:
Yeah. No, no. I’m excited to see it out there. And I know they’ve done a lot of work on it, which is great. And I think you’re right when it does all flow together, it’s a really, really beautiful experience.
Marcus Ransom:
Private browsing windows are a much easier way to get in and out of the 97 different accounts that you need to use.
Joel Rennich:
Have you tried it with a private browser window?
Marcus Ransom:
Yeah.
Joel Rennich:
It will auto fill.
Tom Bridge:
Yes. I was going to say it’s domain based.
Joel Rennich:
The single sign-on extension doesn’t know you’re in a private browser window.
Marcus Ransom:
Actually, I know what I’m doing. I’ve restricted a browser, so it’s not working in that browser. There we go, that was the solution. I knew there was something.
Joel Rennich:
Caught in your lies. You southern hemisphere upside down truth bending-
Marcus Ransom:
Exactly. Once the solution was reached, it was like, “Right. I don’t need to worry about this anymore. It just works.” And a way I go.
Tom Bridge:
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Baka, thank you. Adam Selby, thank you. Nate Walk, thank you. Michael Tsai, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Steits, thank you. Anush Storville, thank you. Jeffrey Compton. M. Marsh. Stu McDonald. Hamlin Kroesen. Adam Berg, thank you. A.J. Petrebca, thank you. James Tracy. Tim Perfitt of Twocanoes, thank you. Nate Sinal. Will O’Neal. Sed Nash. The folks at Command-Control-Power, Steven Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, Bill Smith and Weldon Dodd. Thank you all so much. And remember that you can back us if you just head on out to patreon.com/macadmpodcast. Thanks everybody.
Marcus Ransom:
So, unfortunately, as I was saying where they’re working on trying to get this to implement in all of the browsers, just leave us one where it doesn’t work, so we can use that for the…
Tim Perfitt:
All right. I don’t actually I understand what the hell you’re talking about, so can you explain a little bit with the different accounts and the [inaudible 01:13:39].
Joel Rennich:
So Microsoft has single sign-on extension, which uses the Apple SSO pieces. Great. So when you go into Safari, for example, and you try to go to a webpage, it will automatically sign you in through your Azure credentials. And it does this so well that you won’t even see it. You just sign in once and then it captures that account effectively. It keeps your primary refresh token, there’s lots of cool things they do under the covers. And then when you connect again, it automatically supplies that primary refresh token, make sure that you have your session is still good and then takes you to that site.
Joel Rennich:
The problem is it almost works too well. As an it professional you’re very used to opening up a private browser window to say like, “Hey, I’m going to try to sign into somebody else. Or let’s just make sure all my credentials are cleared and the web cache is flushed or whatever else.” So you open up a private browser window, expecting everything to be like you’re on a brand new machine, except Apple has not allowed the single sign-on extension to know when you’re opening a private browser session versus not.
Tim Perfitt:
So it’s not cookie based, it’s single sign-on based.
Joel Rennich:
Absolutely.
Tom Bridge:
Your SSO is a declared domain set that’s associated with it. And the second you get redirected through whatever federation’s path you’re directed through, it’s like, “Aha, I know how to do something with that, so I’m going to.”
Joel Rennich:
Yes.
Tim Perfitt:
How does it get access to your tokens? Does it not have tokens?
Joel Rennich:
Well, it keeps them themselves.
Tim Perfitt:
Oh, single sign-on does.
Joel Rennich:
Its got it’s own space.
Tim Perfitt:
I didn’t know that.
Joel Rennich:
Okay. It’s got its own space in the keychain, so it flows through there. And so when you get into a private browsing session, you can’t get out of it. The other problem is that if maybe again and Marcus is correct, that this is more of a maybe an IT or a developer problem.
Tom Bridge:
Yes.
Joel Rennich:
But you might have a dozen. I probably have six different Azure accounts that I use on a semi-regular basis. Some are admins and two or three are different tenants, some are for testing other things like that. The single sign-on extension grabs one of them, it’s the one you sign into the company portal with and it tenaciously holds onto that.
Tim Perfitt:
But you can log out, but then that defeats the whole purpose.
Joel Rennich:
No. You can’t.
Marcus Ransom:
And to be clear, it’s not the one you log into the company portal with. So the company portal is the mechanism to get the extension on the machine, but you actually don’t need to ever launch the company portal.
Tim Perfitt:
Joel, can you read that statement again from Microsoft, I think it’s actually making a lot more sense now.
Marcus Ransom:
So the trick is you need to remove the MDM profile and re-add it again and that will clear out the tokens.
Tim Perfitt:
Of course, that’s very intuitive. Yes.
Tom Bridge:
Yes. Let’s do that.
Joel Rennich:
And a normal user can do that without any issue, so that’s with every PC.
Marcus Ransom:
If a clever admin can build me mechanisms to allow them to do it themselves. Absolutely. Whether that’s wise or not. It’s certainly-
Joel Rennich:
What could possibly go wrong.
Tim Perfitt:
You have to remove the MDM profile in order to clear the single sign-on cache. Oh my God.
Marcus Ransom:
The configuration profile that is managing, it goes to being unmanaged, and then you put the profile back on again and all is good in the world.
Joel Rennich:
You start from scratch.
Tim Perfitt:
Beautiful. Beautiful.
Joel Rennich:
Better make sure you sign in with the right account first.
Marcus Ransom:
But it does come back to the user who is like, “It says single sign-on. I’ve had to sign on 97 times, this must be broken.” Are the same people that they use the same password-
Joel Rennich:
Absolutely.
Marcus Ransom:
… on every single account they have anyway so…
Joel Rennich:
It is solving a very real and very necessary problem to solve. But I think Ti to your point maybe it’s not fully baked, and I don’t put this all on Microsoft I think some of this is Apple.
Marcus Ransom:
No, they’re implementing Apple’s framework and it’s taken them some time to implement Apple’s framework. Which calls back to the it’s just easy, there’s the spec, ship it.
Tim Perfitt:
Oh, this is going to be fun in October, November, this is going to be great.
Joel Rennich:
Well, this is today.
Tom Bridge:
This is today.
Tim Perfitt:
Objecting out, if we’re saying this is going hopefully be better than that. But if we’re following the track record of being able to do this, it’s going to be crickets and then there’s going to be some bumps.
Joel Rennich:
I think there’s some follow on episodes here of what might happen in the future based upon these thing.
Tom Bridge:
Were we not already 75 minutes into the recording I might be asking you those kind of things right now. But I think it’s also coming up on half past 11 in the evening here, and I was going to say it’s been a really great conversation.
Tim Perfitt:
We need to come back. We need to do a threefer.
Tom Bridge:
Oh ma, I feel like when we get close to Ventura release date, I feel like that’s when we talk about the threefer, so that we can get Platform SSO and kind of its more finally baked-
Marcus Ransom:
When XCreds has implemented Platform SSO with multiple IDPs, then we can have a wonderful discussion in what three week?
Joel Rennich:
No matter how much Tim works. He won’t. Unless he does some very unholy things that-
Marcus Ransom:
Well, it is Tim.
Tim Perfitt:
I’m willing to do it by what Apple gives.
Marcus Ransom:
Twocanoes could become a cloud identity provider.
Joel Rennich:
Absolutely. Absolutely. And I think they would do fantastic.
Tim Perfitt:
So even discussions about being a proxy in front of… don’t be an identity provider, but be a proxy in front of identity provider, which is another way to go about doing it, which is another unholy thing to do.
Marcus Ransom:
Like AD FS, but even more cursed.
Tom Bridge:
Joel and I are currently chuckling for various reasons.
Tim Perfitt:
Why is that?
Joel Rennich:
You’ll have to wait.
Tom Bridge:
You’ll have to wait and see.
Tim Perfitt:
I don’t want to.
Marcus Ransom:
Then you could federate Twocanoes with Apple Business Manager and solve even more problems with Managed Apple IDs through Twocanoes.
Tom Bridge:
I’m really excited at some point Managed Apple IDs are going to have that moment where it’s going to finally be their turn. Finally, Managed Apple IDs are going to throw off the shackles of the man, be useful and for more than just user enrollment. And they’re actually going to have things like a keychain, which would let them have passkeys or any number of other useful things for a Managed Apple ID to possess. Maybe the ability to go through and do free commercial actions, maybe against a set of licenses associated with a machine, because then maybe you could keep the app up to date on a macOS system instead of having to depend upon your MDM to periodically just resend it down and hope that the user has closed… If we keep going on like this I’m just going to keep going all night. I shouldn’t do that, that would be bad.
Tim Perfitt:
CryptoTokenKit works great by the way, that’s where I spend almost all of my time, that’s almost all my time. There’s the single sign-on and the Platform Single Sign-On, there’s some sharp edges and CryptoTokenKit had those and I think the most part it performs. That’s why [inaudible 01:21:09].
Tom Bridge:
They kind of filed those off.
Tim Perfitt:
Yeah. That’s what I enjoy spending my time on.
Tom Bridge:
Props to the Apple developers working on CryptoTokenKit y’all are doing a fine job.
Tim Perfitt:
We’ll ship over the single sign-on stuff over to them and see what happens.
Tom Bridge:
Yeah. So thank you all for joining us. Tim, where can folks find you on the internets?
Tim Perfitt:
I’m at twocanoes.com or @tperfitt on Twitter. And if you want to find out about XCreds, it’s on GitHub, so just search for XCreds.
Tom Bridge:
Nice.
Tim Perfitt:
We talked about this last time, but it was a project that was commissioned by North Carolina State University, so I want to give a shout out to those guys to start it. And it’s a free download and you can check it out on your Mac works on Apple silicon, macOS, Intel and all the way back. I didn’t even try, but it goes back a ways. Any machine you have it should work on.
Tom Bridge:
Nice. And Joel where can we find you on the internet?
Joel Rennich:
Mactroll. Mostly Twitter. I don’t tweet much. I mostly just follow Tim. Although I tweeted today, I replied to you.
Tom Bridge:
Yes, you did as a matter of fact.
Joel Rennich:
Yeah. Look at that, I carried the flag for battery electric vehicles.
Tim Perfitt:
Do you have Mactroll at Jumpcloud.co?
Joel Rennich:
I did not ask for that.
Tim Perfitt:
Wow. Okay.
Joel Rennich:
Maybe I know somebody.
Tim Perfitt:
I’m sure Donyaye or Ryan would make that-
Joel Rennich:
Yeah. I think we can figure that out.
Tom Bridge:
Yeah. So I was going to say what Joel meant to say was that you can find at jumpcloud.com where you can get 10 users for free or 10 device for free.
Joel Rennich:
Absolutely. Every day. Every day.
Tom Bridge:
I don’t get to show that myself. I get to show that for my coworkers, but that’s what I get to do. And as always I think I’m going to forego the bonus question, because we had a really good one last time and I think we were going to let that roll over for this one as well. Mostly because I’m also lazy and it’s 11:30 AM. Unless Marcus has a good one where it’s like what 1:30 in the afternoon?
Marcus Ransom:
Well, I can give my answer to that bonus question about ridiculous security. There’s also the bank where so changing home loans and refinancing and all that sort of stuff. And so the bank said, “Rather than you providing all this documentation, just go to this third party website and sign in there with your internet banking details and then they’ll scrape everything they want,” and it’s like that doesn’t sound good. And so then I went to the bank and said, “Is that okay for me to do this?” And they went, “Absolutely not.”
Marcus Ransom:
And then the same bank said, “Hey, if you want to refinance all of your stuff just go to this service and do this.” It’s like, “But you yourself told me not to do that because it’s bad.” And it’s literally just granting them one time access to your bank account, to scrape all of that information off and then not be able to… and it’s like that doesn’t sound like a good idea. Surely, if they could create APIs that you could grant someone read only access to information, that would be a solution. But getting banks to agree on things is.
Tim Perfitt:
Marcus, you got it wrong, the only security is with a fax machine.
Marcus Ransom:
Exactly.
Tim Perfitt:
If you want real security, you fax over the documents.
Marcus Ransom:
The last time I had to use a fax was for exactly that for refinancing and it was just like-
Tim Perfitt:
There’s nothing more secure than POTS.
Marcus Ransom:
Exactly.
Tim Perfitt:
[inaudible 01:24:28] prepares the wire.
Marcus Ransom:
When I was at university I helped one of my design lecturers with this experimental project, where he up all of these spool feeding fax machines that were faxing and photocopying loops of paper and creating art doing that.
Tim Perfitt:
To each other.
Marcus Ransom:
To each other through series of the and it was fascinating. I haven’t ever been able to find any photographs or evidence of anything that this was produced. But it was like using technology in a dreadful way that it was never ever designed to be used purely for art and because and it was beautiful.
Tim Perfitt:
Could you do it in a storm like a one to two to four to eight to 16 that would’ve been great.
Marcus Ransom:
The sort of things that it was doing and it was just… I for one welcome our fax overlords.
Tom Bridge:
And I think that’s where we’re going to leave it folks. Thanks so much to our amazing sponsors this week that is Kandji, Mosyle and Black Glove. Thanks so much to our brand new accessibility sponsor Meeter, who are going to be producing the transcript of this episode. So if you are reading this, please thank the nice folks at Meeter and go visit their website and say thank you. Maybe buy some stuff from them, because that sounds like a great way to help our sponsors recoup their investment. So thanks everybody and of course thanks for our amazing Patreon backers and thanks everybody. We’ll see you next time.
Marcus Ransom:
See you later.
Tom Bridge:
The Mac Admins Podcast is a production of Mac Admins Podcast, LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kudiga the first time he opened GarageBand. Sponsorship for the Mac Admins Podcast is provided by the macadmins.org/slack, where you can join thousands of maced bins in a free Slack instance. Visit macadmins.org. And also by Technolutionary LLC, technically we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.
Links
- Security. Cryptography. Whatever (Podcast)
- Filemaker 19 from Claris
- Azure AD SSO Plugin (Preview)
- Top 5 ways to Improve your Apple end user experience in M365/AAAD (PSU Mac Admins Talk with Michael Epping and Mark Morowczynski)
- XCreds
Listen
Sponsors:
Patreon Sponsors:
The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:
Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd
Event Name | Location | Dates | Format | Cost |
---|---|---|---|---|
XWorld | Melbourne, AUS | 30-31 March 2023 | TBA | TBA |
Event Name | Location | Dates | Cost |
---|---|---|---|
Houston Apple Admins | Saint Arnold Brewing Company | 5:30pm 4th March 2024 | Free |
Event Name | Location | Dates | Cost |
---|---|---|---|
London Apple Admins Pub | Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person | Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person | Free |
#ANZMac Channel Happy Hour | Online (see #anzmac in MacAdmins Slack for connection details) | Thursdays 5 p.m. AEST | Free |
#cascadia Channel Happy Hour | Online (see #cascadia channel in Mac Admins Slack) | Thursdays 4 p.m. PT (US) | Free |
Sponsor the Mac Admins Podcast:
If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.
Social Media:
Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!