We have written succesfully an authorization plugin called GMIAuthPlugin. This plugin works very well on the initial login. We allow for an out of band 2 factor authorization at the login screen. We even allow for passwordless login today. Our next goal is to display this auth plugin when waking from the screen saver or locking the machine. We have tried the following plist to system.login.screensaver. This gets us close but not all the way. In doing some reading it has been stated that we need to use the older login rule <string>authenticate-session-owner-or-admin</string> instead of the newer rule use-login-window-ui. I have not been able to configure both a mechanism and a login rule in the system.login.screensaver successfully. I am sure this is possible and maybe I am missing something obvious. Using the command Security authorizationdb write system.login.screensaver authenticate-session-owner-or-admin overwrites the whole plist file and does not keep the mechanism part we want. I have read this:https://forums.developer.apple.com/thread/86537And this thread:https://forums.developer.apple.com/thread/110667Here is our current system.login.screensaver plist. This displays our auth plugin. Our end goal is to send an out of band mobile message to our platform which will then unlock and login without manually typing the user’s password which we save and present for authorization.<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>allow-root</key> <false/> <key>authenticate-user</key> <true/> <key>class</key> <string>user</string> <key>created</key> <real>592759977.27845001</real> <key>group</key> <string>admin</string> <key>mechanisms</key> <array> <string>GMIAuthPlugin:invoke</string> <string>builtin:authenticate,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:forward-login,privileged</string> <string>PKINITMechanism:auth,privileged</string> </array> <key>modified</key> <real>601410763.90900505</real> <key>session-owner</key> <true/> <key>shared</key> <false/> <key>timeout</key> <integer>2147483647</integer> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>0</integer> <key>class</key> <string>rule</string> <key>created</key> <real>472414282.07143301</real> <key>modified</key> <real>498674468.80855602</real> <key>version</key> <integer>0</integer> </dict> </plist></dict></plist>Thank you so much for your help on this!Matt
Post
Replies
Boosts
Views
Activity
We have written succesfully an authorization plugin called GMIAuthPlugin. This plugin works very well on the initial login. We allow for an out of band 2 factor authorization at the login screen. We even allow for passwordless login today. Our next goal is to display this auth plugin when waking from the screen saver or locking the machine. We have tried the following plist to system.login.screensaver. This gets us close but not all the way. In doing some reading it has been stated that we need to use the older login rule <string>authenticate-session-owner-or-admin</string> instead of the newer rule use-login-window-ui. I have not been able to configure both a mechanism and a login rule in the system.login.screensaver successfully. I am sure this is possible and maybe I am missing something obvious. Using the command Security authorizationdb write system.login.screensaver authenticate-session-owner-or-admin overwrites the whole plist file and does not keep the mechanism part we want. I have read this:https://forums.developer.apple.com/thread/86537And this thread:https://forums.developer.apple.com/thread/110667Here is our current system.login.screensaver plist. This displays our auth plugin. Our end goal is to send an out of band mobile message to our platform which will then unlock and login without manually typing the user’s password which we save and present for authorization.<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>allow-root</key> <false/> <key>authenticate-user</key> <true/> <key>class</key> <string>user</string> <key>created</key> <real>592759977.27845001</real> <key>group</key> <string>admin</string> <key>mechanisms</key> <array> <string>GMIAuthPlugin:invoke</string> <string>builtin:authenticate,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:forward-login,privileged</string> <string>PKINITMechanism:auth,privileged</string> </array> <key>modified</key> <real>601410763.90900505</real> <key>session-owner</key> <true/> <key>shared</key> <false/> <key>timeout</key> <integer>2147483647</integer> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>0</integer> <key>class</key> <string>rule</string> <key>created</key> <real>472414282.07143301</real> <key>modified</key> <real>498674468.80855602</real> <key>version</key> <integer>0</integer> </dict> </plist></dict></plist>