-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use user's authentication to create the service account #134
Comments
That code is based on v3 so it won't work in v4. There is also a lot of other ancillary preference management code that needs to be added for a new feature. Further this will require the creation of a new function for the service account creation because there would be two different workflows using similar code. In other words, while this is a good idea that I plan to implement, it's more complicated than just the changes you have here. |
Cool. I'm testing it on v3 in our fleet of 800 or so macs and so far it seems to be working... |
Full disclosure... I don't ever plan to look at the v3 code again. |
Cool, I hear that. So I guess I'll use as I have it, and my comment above is clear enough (I think?) for others to also use if they wish. |
I added the following in version 4.0.0 after line 7983 (for reference, it was after this line
This worked whether the user was an admin or not. The last line |
Yikes! It's not safe to put that function there. I'm happy that this works for you... and I do plan to implement this officially... but it will take quite a bit more changes to support this feature in a safe way. |
I'm interested why you say its not safe - maybe using this code with other implementation options (like trying to use MDM auth or a local existing account) wont work as expected, but using it without any of those and just a plist to define deferrals, I cant see the issue (yes I have gone through the code, every line in the func) |
That code was designed to run during the startup workflow, and where you have it is now much later in the workflow. To implement this properly (as I plan to do in a future version) there is a lot more work involved to implement this as a configurable option, test the crap out of it, and document. |
I made this as a standalone function - not sure what you want to call it or where you want to insert it. It means that after this line:
(obviously the last line depends on what you want to call the new func, and how you want to make it configurable by making an |
That's a better approach.... and similar to the one I will take when I have time to implement this in v4.1... other priorities first. |
When the user is asked for their password to install an update, use the user account to create a service account.
When the user clicks "install" and is prompted for their password (if their is no super service account and MDM fails), use those credentials to create a super service account so that that are never asked again.
This would require inserting the following code before line 7494:
The text was updated successfully, but these errors were encountered: