# macOS User
## Overview In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this [page](https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases#local-network). ## Prerequisites This guide assumes the following tasks have already taken place: * Keeper Secrets Manager is enabled for your [role](https://docs.keeper.io/en/keeperpam/privileged-access-manager/rotation-overview#enabling-rotation-on-the-admin-console) * Keeper Rotation is enabled for your [role](https://docs.keeper.io/en/keeperpam/privileged-access-manager/rotation-overview#enabling-rotation-on-the-admin-console) * A Keeper Secrets Manager [application](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) has been created * A Keeper Rotation [gateway](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways) is already installed, running, and is able to communicate via [SSH](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/setting-up-ssh) to your MacOS device. ## 1. Set up a PAM Machine resource Keeper Rotation will use the linked admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts. #### PAM Directory Record Fields
FieldDescription
Record TypePAM Machine
TitleMy macOS User
Hostname or IP AddressIP address or hostname of the directory macOS device. Use localhost if the gateway is installed on the device. Examples: 10.10.10.10, MarysMacBook, localhost
PortSSH port, typically: 22 - SSH is required for rotation.
Use SSLMust be enabled
Administrative CredentialsLinked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Operating SystemFor Mac OS rotation, use: MacOS
## 2. Set up a PAM Configuration Note: You can skip this step if you already have a PAM Configuration set up for this environment. In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
FieldDescription
TitleConfiguration name, example: MAC Rotation
EnvironmentSelect: Local Network
GatewaySelect the Gateway that has SSH access to your MacOS devices
Application FolderSelect the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Default Rotation ScheduleOptional
## 3. Set up one or more PAM user records Keeper Rotation will use the linked credentials in the **PAM Machine** record to rotate the **PAM User** records in your environment. #### PAM User Record Fields
FieldDescription
Record TypePAM User
TitleKeeper record title
LoginCase sensitive username of the account being rotated. Example: msmith
PasswordAccount password is optional, rotation will set one if blank
Other fieldsThese should be left blank
## 4. Configure Rotation on the PAM User records Select the PAM User record, edit the record and open the "Password Rotation Settings". * Select the desired schedule and password complexity. * The "Rotation Settings" should use the PAM Configuration setup previously. * The "Resource Credential" field should select the "PAM Machine" credential setup previously. * Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule. Any user with `edit` rights to a **PAM User** record has the ability to setup rotation for that record.