# macOS User

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FJupaW32SNollomOChego%2FmacOS%20User.jpg?alt=media&#x26;token=b4201c89-39f5-45b6-9860-3961e45ab747" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this [page](/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases.md#local-network).

## Prerequisites

This guide assumes the following tasks have already taken place:

* Keeper Secrets Manager is enabled for your [role](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md#enabling-rotation-on-the-admin-console)
* Keeper Rotation is enabled for your [role](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md#enabling-rotation-on-the-admin-console)
* A Keeper Secrets Manager [application](/keeperpam/privileged-access-manager/getting-started/applications.md) has been created
* A Keeper Rotation [gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md) is already installed, running, and is able to communicate via [SSH](/keeperpam/privileged-access-manager/references/setting-up-ssh.md) to your MacOS device.

## 1. Set up a PAM Machine resource

Keeper Rotation will use the linked admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.

#### PAM Directory Record Fields

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Record Type</strong></td><td>PAM Machine</td></tr><tr><td><strong>Title</strong></td><td>My macOS User</td></tr><tr><td><strong>Hostname or IP Address</strong></td><td>IP address or hostname of the directory macOS device. Use localhost if the gateway is installed on the device. Examples: <code>10.10.10.10</code>, <code>MarysMacBook</code>, <code>localhost</code></td></tr><tr><td><strong>Port</strong></td><td>SSH port, typically: <code>22</code> - SSH is required for rotation.</td></tr><tr><td><strong>Use SSL</strong></td><td>Must be enabled</td></tr><tr><td><strong>Administrative Credentials</strong></td><td>Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.</td></tr><tr><td><strong>Operating System</strong></td><td>For Mac OS rotation, use: <code>MacOS</code></td></tr></tbody></table>

## 2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:

<table><thead><tr><th width="200">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>MAC Rotation</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>Local Network</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that has SSH access to your MacOS devices</td><td></td></tr><tr><td><strong>Application Folder</strong></td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.</td><td></td></tr><tr><td><strong>Default Rotation Schedule</strong></td><td>Optional</td><td></td></tr></tbody></table>

## 3. Set up one or more PAM user records

Keeper Rotation will use the linked credentials in the **PAM Machine** record to rotate the **PAM User** records in your environment.

#### PAM User Record Fields

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Record Type</strong></td><td>PAM User</td></tr><tr><td><strong>Title</strong></td><td>Keeper record title</td></tr><tr><td><strong>Login</strong></td><td>Case sensitive username of the account being rotated. Example: <code>msmith</code></td></tr><tr><td><strong>Password</strong></td><td>Account password is optional, rotation will set one if blank</td></tr><tr><td><strong>Other fields</strong></td><td>These should be left blank</td></tr></tbody></table>

## 4. Configure Rotation on the PAM User records

Select the PAM User record, edit the record and open the "Password Rotation Settings".

* Select the desired schedule and password complexity.
* The "Rotation Settings" should use the PAM Configuration setup previously.
* The "Resource Credential" field should select the "PAM Machine" credential setup previously.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with `edit` rights to a **PAM User** record has the ability to setup rotation for that record.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/local-network/macos-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.