macOS User
Rotating Local Mac User Accounts with Keeper Rotation
Overview
In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
1. Set up a PAM machine credential
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites. Only the KSM applicaiton needs access to this privileged account, it does not need to be shared with any users.
PAM Directory Record Fields
| Field | Description |
|---|---|
Record Type | PAM Machine |
Title | Keeper record title |
Hostname or IP Address | IP address or hostname of the directory MacOS device. Use localhost if the gateway is installed on the device. Examples: |
Port | SSH port, typically: |
Use SSL | Must be enabled |
Login | Username of the account performing the LDAP rotation. Example: |
Password | Admin account password |
Operating System | For Mac OS rotation, use: |
Other fields | These should be left blank |
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM configuration setup.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
| Field | Description |
|---|---|
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that has SSH access to your MacOS devices |
Application Folder | Select the Shared folder that contains the PAM Machine record above. |
Admin Credentials Record | Select the admin record record, this list is filtered to records in the application folder |
Add Resource Credential | Add any optional credentials to be attempted in addition to the primary credential |
Default Rotation Schedule | Optional |
Other fields | These should be left blank |
3. Set up one or more PAM user records
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites.
PAM User Record Fields
| Field | Description |
|---|---|
Record Type | PAM User |
Title | Keeper record title |
Login | Case sensitive username of the account being rotated. Example: |
Password | Account password is optional, rotation will set one if blank |
Other fields | These should be left blank |
4. Configure Rotation on the Record
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with edit rights to a PAM User record has the abilty to setup rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Last updated
