Jamf Nation Community

We can dream, friendo. We can dream. 😅

This might be possible with XCreds. Kind of like a more modern version of NoMAD. Link: https://twocanoes.com/products/mac/xcreds/

I've seen two people on the #MacAdmins slack get it halfway working, but couldn't quite get it fully working.

Tidbits from them trying to get XCreds working with ClassLink at macOS sign-in window (XCreds does support 'JIT' aka 'Just In Time' local account creation, like NoMAD does).

"We had the same problem, and we use Classlink as an IDP for Google. I could only get an account created with a manually defined username in the config profile. Since Google takes us to the separate classlink page, I think thats why the username isn't getting pulled. It would be nice if we could do the same thing as passwords, defining the elementID field, since there is no @email.com part in our login, though I'm not 100% thats the best solution."

"I am testing xCreds with Google. We are using Google as a Single sign-on (SSO) with a third-party identity provider --> Classlink.com. XCreds will go to Google then to Classlink back to Google without passing the authenication back to xCreds. How can I get xCreds to see the authenication?"

Both those posts were 2 - 3 months ago. I asked them if they ever made any more progress but haven't heard back.

We're personally looking to get rid of NoMAD this year so this is something I will test myself in the next few months. NoMAD is still working great for us in a K-12 shared lab setting, even on the latest Ventura.. I just don't like how it's kind of a ghost project at this point. It would also be nice to use our ClassLink IdP. XCreds is all written in Swift and a modern solution (if not cutting-edge).

Just coming back to this thread due to notifications. Honestly thank you for the detailed reply! Would love to hear more about how it's going for you. We're still binding macs to AD and using mobile accounts + Enterprise Connect (since Apple KSSO can't sync passwords in this circumstance), but I'm looking to test out local accounts + JamfConnect sometime when I get enough time to do some research (probably the 12th of Never, but hoping maybe after the fall ticket rush).

Hi there. I looked into integrating XCreds with ClassLink heavily. I ultimately found that I need TwoCanoes to work with ClassLink to build an integration, there's no way to get a client secret, etc.. without being a ClassLink Developer. Tim @ TwoCanoes said he would be open to building this. ClassLink doesn't charge software vendors for integrations. I'm not quite sure where he's at with that, I haven't heard from him lately.

I'd really like to get it to work because XCreds is a small fraction of the cost of Connect, even with Education pricing. XCreds is $1 per device, per year (Education) which is unbelievably cheap. And that would come with support. Jamf support has really gone downhill in my experience.

I can keep you posted there, I know there are other ClassLink customers interested in XCreds.

Apple is also teasing Platform SSO with Sonoma. I'm not quite sure what that looks like yet. Not holding my breath on it personally, I'd totally pay for XCreds @ $500 per device / year, with support. We have some devices that won't support Sonoma that we still need the ability to let any user login.

I’m looking at all avenues at the moment. Gonna be able to check out Jamf connect a bit more after I roll Classlink out to staff and students in August. It looks like the Xcred team is doing some cool stuff and lots of support from Twocanoes and the community, biggest hurdle with Twocanoes is they don’t do purchase orders which creates a bunch of red tape for my company but if they 100% support id go through the headache of getting it purchased. 

For sure. ClassLink has been awesome for us btw. Wasn't aware of the no P.O. thing, hadn't even gotten that far with them. Good to know, as that could be an issue for us as well (we're K-12). Connect will be a little more turn-key and easier to implement. We piloted it in its early stages, but switched to NoMAD because Connect's main advantage is giving a remote user a fresh device, and they can sign in and create an account off-network, and we're just never really doing that, so didn't want to pay for something we weren't going to take advantage of.

Yeah we're still on AD mobile accts and Enterprise Connect, I'm looking to go JamfConnect when I have time to test.

Thanks for the awesome, detailed response. I'm going to edit my post as well -- we also ended up going Jamf Connect + Microsoft Entra (federated domain with IdP set to our Classlink portal). It's not ideal because it's a multi-stage login window, but it does work.