You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Added new functionality on MDM enrolled systems running macOS 11 Big Sur and newer to automatically and securely create and escrow the Bootstrap Token when mkuser is used to create the first administrator (when internet is available and the MDM supports the Bootstrap Token).
Added new BOOTSTRAP TOKEN NOTES section to the help information for --prevent-secure-token-on-big-sur-and-newer to explain Bootstrap Token behavior in relation to Secure Tokens and the new mkuser functionality described above (thanks to Mark Buffington for helping to clarify Bootstrap Token details).
Improved the --stdin-password option by adding a warning when a here-string (<<<) is used instead of the more secure echo and pipe (|) which does not create a temporary file in the filesystem.
Improved the --fd-secure-token-admin-password option by adding an extra check to be certain process substitution is being used which does not create a temporary file in the filesystem.
Improved the --login-shell and --picture options by converting specified relative paths to absolute paths.
Other minor improvements and typos corrected throughout.
Previous Release Notes from Version 2022.4.21-1
Improved setting the user password by using native Objective-C methods of the OpenDirectory framework. This technique is secure and never reveals the password in the process list or writes it to the filesystem. Previously, the password was set by dsimport along with all the other user attributes. But, that required the plain text password momentarily exist in a temporary file since dsimport can only load a new user record from a file. Now, no password is specified during initial user creation with dsimport and is securely set after creation with the new method.
Improved validating the user password by checking it against the current systems global password content policy before creation by using native Objective-C methods of the OpenDirectory framework. This technique is secure and never reveals the password in the process list or writes it to the filesystem. Previously, the password was only checked against the default requirements of being 4 characters or more, or blank/empty if FileVault is not enabled. Now, the password will also be checked against any custom password content policies that may be set.
Other minor improvements and typos corrected throughout.
Previous Release Notes from Version 2022.3.2-1
Added new --fd-secure-token-admin-password option whose parameter is a file descriptor path (via process substitution) containing the password (like <(echo '<PASS>')) and deprecated--fd3-secure-token-admin-password (which will be removed in a future version) since an "fd3" here-string (3<<<) is not as secure since it momentarily creates a temporary file.
Improved deobfuscating and handling passwords in packages to be more secure by never using here-strings which momentarily create temporary files.
Other minor bug fixes, improvements, and typos corrected throughout.
