Tutorial

Novas atualizações e melhorias para a Macfleet.

Aviso importante

Os exemplos de código e scripts fornecidos nestes tutoriais são apenas para fins educacionais. A Macfleet não é responsável por quaisquer problemas, danos ou vulnerabilidades de segurança que possam surgir do uso, modificação ou implementação destes exemplos. Sempre revise e teste o código em um ambiente seguro antes de usá-lo em sistemas de produção.

← Todas as postagens

July 7, 2025

Password Management on macOS

Implement comprehensive password management and authentication control across your MacFleet devices using advanced directory services and system administration tools. This tutorial covers password clearing, policy enforcement, and enterprise authentication management.

Understanding macOS Password Management

macOS provides multiple tools for password management:

dscl - Directory Services Command Line utility for user management
sysadminctl - System administrator control tool for user operations
Directory Services - Core authentication and authorization framework
Security Framework - Advanced password policy and enforcement mechanisms

Basic Password Operations

Clear User Password (Basic Method)

#!/bin/bash

# Basic password clearing using dscl
clear_user_password_dscl() {
    local username="$1"
    local current_password="$2"
    
    echo "=== Clearing Password for User: $username ==="
    
    # Validate parameters
    if [[ -z "$username" || -z "$current_password" ]]; then
        echo "❌ Usage: clear_user_password_dscl <username> <current_password>"
        return 1
    fi
    
    # Check if user exists
    if ! dscl . -read "/Users/$username" >/dev/null 2>&1; then
        echo "❌ User '$username' does not exist"
        return 1
    fi
    
    # Clear password using dscl
    echo "Clearing password for user: $username"
    if dscl . passwd "/Users/$username" "$current_password" ""; then
        echo "✅ Password cleared successfully for user: $username"
        echo "ℹ️  User can now login by pressing Enter without a password"
    else
        echo "❌ Failed to clear password for user: $username"
        echo "   Check that the current password is correct"
        return 1
    fi
}

# Usage: clear_user_password_dscl "john.doe" "currentpass123"

Clear Password Using sysadminctl

#!/bin/bash

# Advanced password clearing using sysadminctl
clear_user_password_sysadminctl() {
    local target_username="$1"
    local admin_username="$2"
    local admin_password="$3"
    
    echo "=== Clearing Password Using sysadminctl ==="
    echo "Target user: $target_username"
    echo "Admin user: $admin_username"
    
    # Validate parameters
    if [[ -z "$target_username" || -z "$admin_username" || -z "$admin_password" ]]; then
        echo "❌ Usage: clear_user_password_sysadminctl <target_user> <admin_user> <admin_password>"
        return 1
    fi
    
    # Check if target user exists
    if ! dscl . -read "/Users/$target_username" >/dev/null 2>&1; then
        echo "❌ Target user '$target_username' does not exist"
        return 1
    fi
    
    # Check if admin user exists and has admin privileges
    if ! dscl . -read "/Users/$admin_username" >/dev/null 2>&1; then
        echo "❌ Admin user '$admin_username' does not exist"
        return 1
    fi
    
    # Clear password using sysadminctl
    echo "Clearing password for user: $target_username"
    if sysadminctl -resetPasswordFor "$target_username" -newPassword "" -adminUser "$admin_username" -adminPassword "$admin_password"; then
        echo "✅ Password cleared successfully for user: $target_username"
        echo "ℹ️  User can now login without entering a password"
    else
        echo "❌ Failed to clear password for user: $target_username"
        echo "   Check admin credentials and user permissions"
        return 1
    fi
}

# Usage: clear_user_password_sysadminctl "jane.doe" "admin" "adminpass123"

Advanced Password Management

Check Password Status

#!/bin/bash

# Check user password and authentication status
check_password_status() {
    local username="$1"
    
    echo "=== Password Status Check for User: $username ==="
    
    if [[ -z "$username" ]]; then
        echo "❌ Usage: check_password_status <username>"
        return 1
    fi
    
    # Check if user exists
    if ! dscl . -read "/Users/$username" >/dev/null 2>&1; then
        echo "❌ User '$username' does not exist"
        return 1
    fi
    
    # Get user information
    echo "User Information:"
    echo "Real Name: $(dscl . -read "/Users/$username" RealName | cut -d' ' -f2- || echo 'Not set')"
    echo "UID: $(dscl . -read "/Users/$username" UniqueID | awk '{print $2}')"
    echo "Primary Group ID: $(dscl . -read "/Users/$username" PrimaryGroupID | awk '{print $2}')"
    echo "Home Directory: $(dscl . -read "/Users/$username" NFSHomeDirectory | cut -d' ' -f2-)"
    echo "Shell: $(dscl . -read "/Users/$username" UserShell | cut -d' ' -f2-)"
    
    # Check password policy
    echo ""
    echo "Password Policy Information:"
    local password_policy=$(pwpolicy -u "$username" -getpolicy 2>/dev/null || echo "No specific policy")
    echo "Password Policy: $password_policy"
    
    # Check account status
    echo ""
    echo "Account Status:"
    local account_policy=$(pwpolicy -u "$username" -getaccountpolicy 2>/dev/null || echo "No account policy")
    echo "Account Policy: $account_policy"
    
    # Check if password is empty
    echo ""
    echo "Password Status:"
    local auth_authority=$(dscl . -read "/Users/$username" AuthenticationAuthority 2>/dev/null)
    if [[ -z "$auth_authority" ]] || echo "$auth_authority" | grep -q "ShadowHash"; then
        echo "Password Type: Shadow Hash (Standard)"
    else
        echo "Password Type: $auth_authority"
    fi
}

check_password_status

Secure Password Setting

#!/bin/bash

# Set secure password with validation
set_secure_password() {
    local username="$1"
    local new_password="$2"
    local admin_username="$3"
    local admin_password="$4"
    
    echo "=== Setting Secure Password for User: $username ==="
    
    # Validate parameters
    if [[ -z "$username" || -z "$new_password" || -z "$admin_username" || -z "$admin_password" ]]; then
        echo "❌ Usage: set_secure_password <username> <new_password> <admin_user> <admin_password>"
        return 1
    fi
    
    # Check password strength
    if ! validate_password_strength "$new_password"; then
        echo "❌ Password does not meet security requirements"
        return 1
    fi
    
    # Set password using sysadminctl
    echo "Setting secure password for user: $username"
    if sysadminctl -resetPasswordFor "$username" -newPassword "$new_password" -adminUser "$admin_username" -adminPassword "$admin_password"; then
        echo "✅ Secure password set successfully for user: $username"
        
        # Apply password policy
        apply_password_policy "$username"
    else
        echo "❌ Failed to set password for user: $username"
        return 1
    fi
}

# Validate password strength
validate_password_strength() {
    local password="$1"
    local min_length=8
    local has_upper=false
    local has_lower=false
    local has_digit=false
    local has_special=false
    
    # Check minimum length
    if [[ ${#password} -lt $min_length ]]; then
        echo "⚠️  Password must be at least $min_length characters long"
        return 1
    fi
    
    # Check for uppercase letter
    if [[ "$password" =~ [A-Z] ]]; then
        has_upper=true
    fi
    
    # Check for lowercase letter
    if [[ "$password" =~ [a-z] ]]; then
        has_lower=true
    fi
    
    # Check for digit
    if [[ "$password" =~ [0-9] ]]; then
        has_digit=true
    fi
    
    # Check for special character
    if [[ "$password" =~ [^a-zA-Z0-9] ]]; then
        has_special=true
    fi
    
    # Validate all requirements
    if [[ "$has_upper" == true && "$has_lower" == true && "$has_digit" == true && "$has_special" == true ]]; then
        echo "✅ Password meets security requirements"
        return 0
    else
        echo "⚠️  Password must contain uppercase, lowercase, digit, and special character"
        return 1
    fi
}

# Apply password policy
apply_password_policy() {
    local username="$1"
    
    echo "Applying password policy for user: $username"
    
    # Set password policy (requires admin privileges)
    pwpolicy -u "$username" -setpolicy "minChars=8 requiresAlpha requiresNumeric requiresMixedCase requiresSymbol passwordCannotBeName maxMinutesUntilChangePassword=7776000" 2>/dev/null || true
    
    echo "✅ Password policy applied"
}

Enterprise Password Management System

#!/bin/bash

# MacFleet Enterprise Password Management System
# Comprehensive user authentication and password policy management

# Configuration
PASSWORD_CONFIG_FILE="/etc/macfleet/password_config.conf"
LOG_FILE="/var/log/macfleet_password_management.log"
AUDIT_FILE="/var/log/macfleet_password_audit.log"
BACKUP_DIR="/var/backups/macfleet/user_accounts"

# Default settings
DEFAULT_MIN_PASSWORD_LENGTH=12
DEFAULT_PASSWORD_EXPIRY_DAYS=90
DEFAULT_MAX_FAILED_ATTEMPTS=5
DEFAULT_LOCKOUT_DURATION=30

# Logging function
log_action() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

# Audit logging function
audit_log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - AUDIT - $1" | tee -a "$AUDIT_FILE"
}

# Load password management configuration
load_password_config() {
    if [[ -f "$PASSWORD_CONFIG_FILE" ]]; then
        source "$PASSWORD_CONFIG_FILE"
        log_action "Loaded password configuration from $PASSWORD_CONFIG_FILE"
    else
        log_action "Using default password configuration"
    fi
}

# Backup user account information
backup_user_account() {
    local username="$1"
    local backup_file="$BACKUP_DIR/user_backup_${username}_$(date +%Y%m%d_%H%M%S).plist"
    
    # Create backup directory
    sudo mkdir -p "$BACKUP_DIR"
    
    # Export user record
    if dscl . -read "/Users/$username" > "$backup_file" 2>/dev/null; then
        log_action "User account backup created: $backup_file"
        audit_log "BACKUP_CREATED for user: $username"
    else
        log_action "Failed to create backup for user: $username"
    fi
}

# Enterprise password clearing with safety checks
enterprise_clear_password() {
    local username="$1"
    local admin_username="$2"
    local admin_password="$3"
    local force_clear="${4:-false}"
    
    log_action "Starting enterprise password clear for user: $username"
    audit_log "PASSWORD_CLEAR_INITIATED for user: $username by admin: $admin_username"
    
    # Validate parameters
    if [[ -z "$username" || -z "$admin_username" || -z "$admin_password" ]]; then
        log_action "❌ Missing required parameters for password clear"
        return 1
    fi
    
    # Check if user exists
    if ! dscl . -read "/Users/$username" >/dev/null 2>&1; then
        log_action "❌ User '$username' does not exist"
        return 1
    fi
    
    # Security checks
    if ! perform_security_checks "$username" "$force_clear"; then
        log_action "❌ Security checks failed for user: $username"
        return 1
    fi
    
    # Create backup before making changes
    backup_user_account "$username"
    
    # Clear password using sysadminctl (more secure method)
    log_action "Clearing password for user: $username using sysadminctl"
    if sysadminctl -resetPasswordFor "$username" -newPassword "" -adminUser "$admin_username" -adminPassword "$admin_password" 2>/dev/null; then
        log_action "✅ Password cleared successfully for user: $username"
        audit_log "PASSWORD_CLEARED for user: $username"
        
        # Apply post-clear security measures
        apply_post_clear_security "$username"
        
        # Generate compliance report
        generate_password_compliance_report "$username"
        
        return 0
    else
        log_action "❌ Failed to clear password for user: $username"
        audit_log "PASSWORD_CLEAR_FAILED for user: $username"
        return 1
    fi
}

# Perform security checks before password operations
perform_security_checks() {
    local username="$1"
    local force_clear="$2"
    
    log_action "Performing security checks for user: $username"
    
    # Check if user is admin (extra caution required)
    if dscl . -read "/Groups/admin" GroupMembership 2>/dev/null | grep -q "$username"; then
        if [[ "$force_clear" != "true" ]]; then
            log_action "⚠️  User '$username' is an administrator - use force_clear=true to proceed"
            return 1
        else
            log_action "⚠️  Proceeding with admin user password clear (forced)"
            audit_log "ADMIN_PASSWORD_CLEAR_FORCED for user: $username"
        fi
    fi
    
    # Check FileVault status
    if fdesetup status | grep -q "FileVault is On"; then
        local filevault_users=$(fdesetup list | cut -d',' -f1)
        if echo "$filevault_users" | grep -q "$username"; then
            log_action "⚠️  User '$username' is a FileVault user - password clear may affect disk encryption"
            audit_log "FILEVAULT_USER_PASSWORD_CLEAR for user: $username"
        fi
    fi
    
    # Check if user is currently logged in
    if who | grep -q "$username"; then
        log_action "⚠️  User '$username' is currently logged in"
        audit_log "ACTIVE_USER_PASSWORD_CLEAR for user: $username"
    fi
    
    # Check last login time
    local last_login=$(last "$username" | head -1 | awk '{print $4, $5, $6}')
    log_action "Last login for user '$username': $last_login"
    
    return 0
}

# Apply security measures after password clearing
apply_post_clear_security() {
    local username="$1"
    
    log_action "Applying post-clear security measures for user: $username"
    
    # Set account policy to require password change on next login
    pwpolicy -u "$username" -setpolicy "requiresPasswordReset=1" 2>/dev/null || true
    
    # Log security event
    audit_log "POST_CLEAR_SECURITY_APPLIED for user: $username"
    
    # Optional: Send notification to security team
    if [[ "${ENABLE_SECURITY_NOTIFICATIONS}" == "true" ]]; then
        send_security_notification "$username" "password_cleared"
    fi
}

# Generate password compliance report
generate_password_compliance_report() {
    local username="$1"
    local report_file="/var/log/macfleet_password_compliance_$(date +%Y%m%d_%H%M%S).json"
    
    # Get user information
    local uid=$(dscl . -read "/Users/$username" UniqueID 2>/dev/null | awk '{print $2}')
    local real_name=$(dscl . -read "/Users/$username" RealName 2>/dev/null | cut -d' ' -f2-)
    local home_dir=$(dscl . -read "/Users/$username" NFSHomeDirectory 2>/dev/null | cut -d' ' -f2-)
    
    # Check admin status
    local is_admin=false
    if dscl . -read "/Groups/admin" GroupMembership 2>/dev/null | grep -q "$username"; then
        is_admin=true
    fi
    
    # Check FileVault status
    local is_filevault_user=false
    if fdesetup status | grep -q "FileVault is On"; then
        if fdesetup list | cut -d',' -f1 | grep -q "$username"; then
            is_filevault_user=true
        fi
    fi
    
    # Generate compliance report
    local compliance_data='{
        "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'",
        "device_id": "'$(system_profiler SPHardwareDataType | grep "Hardware UUID" | awk '{print $3}')'",
        "hostname": "'$(hostname)'",
        "operation": "password_cleared",
        "user_details": {
            "username": "'$username'",
            "uid": "'$uid'",
            "real_name": "'$real_name'",
            "home_directory": "'$home_dir'",
            "is_admin": '$is_admin',
            "is_filevault_user": '$is_filevault_user'
        },
        "security_status": {
            "password_cleared": true,
            "backup_created": true,
            "security_checks_passed": true,
            "post_clear_measures_applied": true
        }
    }'
    
    # Save compliance report
    echo "$compliance_data" | jq . > "$report_file"
    log_action "Password compliance report generated: $report_file"
}

# Bulk password operations for multiple users
bulk_password_operations() {
    local operation="$1"
    local users_file="$2"
    local admin_username="$3"
    local admin_password="$4"
    
    log_action "Starting bulk password operations: $operation"
    
    if [[ ! -f "$users_file" ]]; then
        log_action "❌ Users file not found: $users_file"
        return 1
    fi
    
    local success_count=0
    local failure_count=0
    
    while IFS= read -r username; do
        # Skip empty lines and comments
        [[ -z "$username" || "$username" =~ ^# ]] && continue
        
        log_action "Processing user: $username"
        
        case "$operation" in
            "clear")
                if enterprise_clear_password "$username" "$admin_username" "$admin_password" "false"; then
                    ((success_count++))
                else
                    ((failure_count++))
                fi
                ;;
            "check")
                check_password_status "$username"
                ;;
            *)
                log_action "❌ Unknown operation: $operation"
                return 1
                ;;
        esac
        
        # Small delay between operations
        sleep 1
        
    done < "$users_file"
    
    log_action "Bulk operations completed - Success: $success_count, Failures: $failure_count"
    audit_log "BULK_OPERATION_COMPLETED operation: $operation, success: $success_count, failures: $failure_count"
}

# Password policy enforcement
enforce_password_policies() {
    log_action "Enforcing enterprise password policies"
    
    # Get all users (excluding system users)
    local users=$(dscl . -list /Users | grep -v '^_' | grep -v '^root' | grep -v '^daemon' | grep -v '^nobody')
    
    for username in $users; do
        local uid=$(dscl . -read "/Users/$username" UniqueID 2>/dev/null | awk '{print $2}')
        
        # Skip system users (UID < 500)
        if [[ "$uid" -lt 500 ]]; then
            continue
        fi
        
        log_action "Enforcing password policy for user: $username"
        
        # Apply enterprise password policy
        local min_length="${MIN_PASSWORD_LENGTH:-$DEFAULT_MIN_PASSWORD_LENGTH}"
        local expiry_days="${PASSWORD_EXPIRY_DAYS:-$DEFAULT_PASSWORD_EXPIRY_DAYS}"
        local max_attempts="${MAX_FAILED_ATTEMPTS:-$DEFAULT_MAX_FAILED_ATTEMPTS}"
        
        pwpolicy -u "$username" -setpolicy "minChars=$min_length requiresAlpha requiresNumeric requiresMixedCase requiresSymbol passwordCannotBeName maxMinutesUntilChangePassword=$((expiry_days * 24 * 60)) maxFailedLoginAttempts=$max_attempts" 2>/dev/null || true
        
    done
    
    log_action "Password policy enforcement completed"
}

# Send security notification
send_security_notification() {
    local username="$1"
    local event_type="$2"
    
    # This would integrate with your notification system
    # For now, just log the event
    audit_log "SECURITY_NOTIFICATION sent for user: $username, event: $event_type"
}

# Main password management function
main() {
    local action="${1:-status}"
    local username="${2}"
    local admin_username="${3}"
    local admin_password="${4}"
    
    log_action "=== MacFleet Password Management Started ==="
    
    case "$action" in
        "clear")
            if [[ -z "$username" || -z "$admin_username" || -z "$admin_password" ]]; then
                echo "Usage: $0 clear <username> <admin_username> <admin_password>"
                exit 1
            fi
            load_password_config
            enterprise_clear_password "$username" "$admin_username" "$admin_password"
            ;;
        "clear-force")
            if [[ -z "$username" || -z "$admin_username" || -z "$admin_password" ]]; then
                echo "Usage: $0 clear-force <username> <admin_username> <admin_password>"
                exit 1
            fi
            load_password_config
            enterprise_clear_password "$username" "$admin_username" "$admin_password" "true"
            ;;
        "check")
            if [[ -z "$username" ]]; then
                echo "Usage: $0 check <username>"
                exit 1
            fi
            check_password_status "$username"
            ;;
        "bulk")
            local operation="$2"
            local users_file="$3"
            shift 3
            admin_username="$1"
            admin_password="$2"
            load_password_config
            bulk_password_operations "$operation" "$users_file" "$admin_username" "$admin_password"
            ;;
        "enforce-policies")
            load_password_config
            enforce_password_policies
            ;;
        "status")
            echo "MacFleet Password Management System"
            echo "Available commands:"
            echo "  clear <user> <admin_user> <admin_pass>  - Clear user password"
            echo "  clear-force <user> <admin_user> <admin_pass>  - Force clear (admin users)"
            echo "  check <user>                            - Check password status"
            echo "  bulk <operation> <users_file> <admin_user> <admin_pass>  - Bulk operations"
            echo "  enforce-policies                        - Apply password policies"
            echo "  status                                  - Show this help"
            ;;
        *)
            echo "❌ Unknown action: $action"
            echo "Use '$0 status' for available commands"
            exit 1
            ;;
    esac
    
    log_action "=== MacFleet Password Management Completed ==="
}

# Execute main function
main "$@"

Password Management Configuration

Create a configuration file for enterprise password policies:

#!/bin/bash

# Create password management configuration file
create_password_config() {
    local config_dir="/etc/macfleet"
    local config_file="$config_dir/password_config.conf"
    
    # Create directory if it doesn't exist
    sudo mkdir -p "$config_dir"
    
    # Create configuration file
    sudo tee "$config_file" > /dev/null << 'EOF'
# MacFleet Password Management Configuration

# Password policy settings
MIN_PASSWORD_LENGTH=12
PASSWORD_EXPIRY_DAYS=90
MAX_FAILED_ATTEMPTS=5
LOCKOUT_DURATION=30

# Security requirements
REQUIRE_UPPERCASE=true
REQUIRE_LOWERCASE=true
REQUIRE_NUMBERS=true
REQUIRE_SPECIAL_CHARS=true
PREVENT_COMMON_PASSWORDS=true

# Operational settings
ENABLE_AUDIT_LOGGING=true
ENABLE_SECURITY_NOTIFICATIONS=true
ENABLE_AUTOMATIC_BACKUP=true
BACKUP_RETENTION_DAYS=365

# FileVault considerations
WARN_FILEVAULT_USERS=true
REQUIRE_FORCE_FOR_FILEVAULT=true

# Admin user protection
WARN_ADMIN_USERS=true
REQUIRE_FORCE_FOR_ADMIN=true

# Compliance settings
ENABLE_COMPLIANCE_REPORTING=true
COMPLIANCE_REPORT_INTERVAL=7200  # 2 hours
SEND_COMPLIANCE_ALERTS=true
EOF

    echo "Password management configuration created at: $config_file"
    echo "Please review and modify settings according to your security policies"
}

create_password_config

Security Considerations and Best Practices

FileVault Compatibility

#!/bin/bash

# Check FileVault compatibility before password operations
check_filevault_compatibility() {
    local username="$1"
    
    echo "=== FileVault Compatibility Check ==="
    
    # Check if FileVault is enabled
    if fdesetup status | grep -q "FileVault is On"; then
        echo "✅ FileVault is enabled"
        
        # Check if user is a FileVault user
        local filevault_users=$(fdesetup list)
        if echo "$filevault_users" | grep -q "$username"; then
            echo "⚠️  User '$username' is a FileVault user"
            echo "   Clearing password may affect disk encryption access"
            echo "   Consider the following before proceeding:"
            echo "   - Ensure other FileVault users exist"
            echo "   - Have recovery key available"
            echo "   - User may need to re-enable FileVault after password reset"
            return 1
        else
            echo "✅ User '$username' is not a FileVault user"
            return 0
        fi
    else
        echo "ℹ️  FileVault is not enabled"
        return 0
    fi
}

check_filevault_compatibility

Audit and Compliance

#!/bin/bash

# Generate comprehensive audit report
generate_audit_report() {
    local report_file="/var/log/macfleet_password_audit_$(date +%Y%m%d_%H%M%S).txt"
    
    {
        echo "MacFleet Password Management Audit Report"
        echo "Generated: $(date)"
        echo "Device: $(hostname)"
        echo "====================================="
        echo ""
        
        echo "System Users (UID >= 500):"
        dscl . -list /Users | while read username; do
            local uid=$(dscl . -read "/Users/$username" UniqueID 2>/dev/null | awk '{print $2}')
            if [[ "$uid" -ge 500 ]]; then
                local real_name=$(dscl . -read "/Users/$username" RealName 2>/dev/null | cut -d' ' -f2-)
                local is_admin=""
                if dscl . -read "/Groups/admin" GroupMembership 2>/dev/null | grep -q "$username"; then
                    is_admin=" (Admin)"
                fi
                echo "- $username (UID: $uid)$is_admin - $real_name"
            fi
        done
        echo ""
        
        echo "FileVault Status:"
        fdesetup status
        if fdesetup status | grep -q "FileVault is On"; then
            echo "FileVault Users:"
            fdesetup list
        fi
        echo ""
        
        echo "Recent Password Management Activities:"
        if [[ -f "$AUDIT_FILE" ]]; then
            tail -20 "$AUDIT_FILE"
        else
            echo "No audit log found"
        fi
        
    } > "$report_file"
    
    echo "Audit report generated: $report_file"
}

generate_audit_report

Integration with MacFleet Management

#!/bin/bash

# MacFleet password management integration
macfleet_password_integration() {
    echo "=== MacFleet Password Management Integration ==="
    
    # Device information
    local device_id=$(system_profiler SPHardwareDataType | grep "Hardware UUID" | awk '{print $3}')
    local hostname=$(hostname)
    local macos_version=$(sw_vers -productVersion)
    
    # Get user account statistics
    local total_users=$(dscl . -list /Users | grep -v '^_' | grep -v '^root' | grep -v '^daemon' | grep -v '^nobody' | wc -l)
    local admin_users=$(dscl . -read "/Groups/admin" GroupMembership 2>/dev/null | wc -w)
    
    # FileVault status
    local filevault_enabled=false
    local filevault_users=0
    if fdesetup status | grep -q "FileVault is On"; then
        filevault_enabled=true
        filevault_users=$(fdesetup list | wc -l)
    fi
    
    # Recent password management activities
    local recent_activities=0
    if [[ -f "$AUDIT_FILE" ]]; then
        recent_activities=$(grep "$(date +%Y-%m-%d)" "$AUDIT_FILE" | wc -l)
    fi
    
    # Report to MacFleet API
    local api_data='{
        "device_id": "'$device_id'",
        "hostname": "'$hostname'",
        "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'",
        "macos_version": "'$macos_version'",
        "password_management": {
            "total_users": '$total_users',
            "admin_users": '$admin_users',
            "filevault_enabled": '$filevault_enabled',
            "filevault_users": '$filevault_users',
            "recent_activities": '$recent_activities'
        },
        "password_management_status": "active"
    }'
    
    echo "Password management status reported to MacFleet management system"
    echo "Device ID: $device_id"
    echo "Total Users: $total_users"
    echo "Admin Users: $admin_users"
    echo "FileVault Enabled: $filevault_enabled"
    echo "Recent Activities: $recent_activities"
}

macfleet_password_integration

Important Security Notes

Security Warnings

Password clearing creates security risks - only use when necessary
FileVault users require special consideration - may affect disk encryption
Admin users need extra caution - can compromise system security
Always create backups before making password changes

Best Practices

Use sysadminctl over dscl for better security and audit trails
Implement strong password policies after clearing passwords
Monitor and audit all password operations
Test on pilot devices before fleet-wide deployment

Compliance Considerations

Document all password operations for security audits
Maintain backup and recovery procedures
Regular security assessments of user accounts
Integration with enterprise identity systems for centralized management

Tutorial

Novas atualizações e melhorias para a Macfleet.

Siga-nos no X.com

May 20, 2025

Configurando um Runner do GitHub Actions em um Mac Mini (Apple Silicon)

Runner do GitHub Actions

GitHub Actions é uma plataforma poderosa de CI/CD que permite automatizar seus fluxos de trabalho de desenvolvimento de software. Embora o GitHub ofereça runners hospedados, runners auto-hospedados fornecem maior controle e personalização para sua configuração de CI/CD. Este tutorial o guia através da configuração e conexão de um runner auto-hospedado em um Mac mini para executar pipelines do macOS.

Pré-requisitos

Antes de começar, certifique-se de ter:

Um Mac mini (registre-se no Macfleet)
Um repositório GitHub com direitos de administrador
Um gerenciador de pacotes instalado (preferencialmente Homebrew)
Git instalado em seu sistema

Passo 1: Criar uma Conta de Usuário Dedicada

Primeiro, crie uma conta de usuário dedicada para o runner do GitHub Actions:

# Criar a conta de usuário 'gh-runner'
sudo dscl . -create /Users/gh-runner
sudo dscl . -create /Users/gh-runner UserShell /bin/bash
sudo dscl . -create /Users/gh-runner RealName "GitHub runner"
sudo dscl . -create /Users/gh-runner UniqueID "1001"
sudo dscl . -create /Users/gh-runner PrimaryGroupID 20
sudo dscl . -create /Users/gh-runner NFSHomeDirectory /Users/gh-runner

# Definir a senha para o usuário
sudo dscl . -passwd /Users/gh-runner sua_senha

# Adicionar 'gh-runner' ao grupo 'admin'
sudo dscl . -append /Groups/admin GroupMembership gh-runner

Mude para a nova conta de usuário:

su gh-runner

Passo 2: Instalar Software Necessário

Instale Git e Rosetta 2 (se estiver usando Apple Silicon):

# Instalar Git se ainda não estiver instalado
brew install git

# Instalar Rosetta 2 para Macs Apple Silicon
softwareupdate --install-rosetta

Passo 3: Configurar o Runner do GitHub Actions

Vá para seu repositório GitHub
Navegue para Configurações > Actions > Runners

Runner do GitHub Actions

Clique em "New self-hosted runner" (https://github.com/<username>/<repository>/settings/actions/runners/new)
Selecione macOS como imagem do runner e ARM64 como arquitetura
Siga os comandos fornecidos para baixar e configurar o runner

Runner do GitHub Actions

Crie um arquivo .env no diretório _work do runner:

# arquivo _work/.env
ImageOS=macos15
XCODE_15_DEVELOPER_DIR=/Applications/Xcode.app/Contents/Developer

Execute o script run.sh em seu diretório do runner para completar a configuração.
Verifique se o runner está ativo e ouvindo por trabalhos no terminal e verifique as configurações do repositório GitHub para a associação do runner e status Idle.

Runner do GitHub Actions

Passo 4: Configurar Sudoers (Opcional)

Se suas ações requerem privilégios de root, configure o arquivo sudoers:

sudo visudo

Adicione a seguinte linha:

gh-runner ALL=(ALL) NOPASSWD: ALL

Passo 5: Usar o Runner em Fluxos de Trabalho

Configure seu fluxo de trabalho do GitHub Actions para usar o runner auto-hospedado:

name: Fluxo de trabalho de exemplo

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: [self-hosted, macOS, ARM64]
    steps:
      - name: Instalar NodeJS
        run: brew install node

O runner está autenticado em seu repositório e rotulado com self-hosted, macOS, e ARM64. Use-o em seus fluxos de trabalho especificando estes rótulos no campo runs-on:

runs-on: [self-hosted, macOS, ARM64]

Melhores Práticas

Mantenha seu software do runner atualizado
Monitore regularmente os logs do runner para problemas
Use rótulos específicos para diferentes tipos de runners
Implemente medidas de segurança adequadas
Considere usar múltiplos runners para balanceamento de carga

Solução de Problemas

Problemas comuns e soluções:

Runner não conectando:
- Verifique conectividade de rede
- Verifique validade do token GitHub
- Certifique-se de permissões adequadas
Falhas de build:
- Verifique instalação do Xcode
- Verifique dependências necessárias
- Revise logs do fluxo de trabalho
Problemas de permissão:
- Verifique permissões do usuário
- Verifique configuração sudoers
- Revise permissões do sistema de arquivos

Conclusão

Agora você tem um runner auto-hospedado do GitHub Actions configurado em seu Mac mini. Esta configuração fornece mais controle sobre seu ambiente CI/CD e permite executar fluxos de trabalho específicos do macOS de forma eficiente.

Lembre-se de manter regularmente seu runner e mantê-lo atualizado com os patches de segurança e versões de software mais recentes.

May 14, 2025

Aplicativo Nativo

Aplicativo nativo do Macfleet

Guia de Instalação do Macfleet

Macfleet é uma solução poderosa de gerenciamento de frota projetada especificamente para ambientes Mac Mini hospedados na nuvem. Como provedor de hospedagem na nuvem Mac Mini, você pode usar o Macfleet para monitorar, gerenciar e otimizar toda sua frota de instâncias Mac virtualizadas.

Este guia de instalação o conduzirá através da configuração do monitoramento do Macfleet em sistemas macOS, Windows e Linux para garantir supervisão abrangente de sua infraestrutura na nuvem.

🍎 macOS

Baixe o arquivo .dmg para Mac aqui
Clique duas vezes no arquivo .dmg baixado
Arraste o aplicativo Macfleet para a pasta Aplicativos
Ejete o arquivo .dmg
Abra Preferências do Sistema > Segurança e Privacidade
- Aba Privacidade > Acessibilidade
- Marque Macfleet para permitir monitoramento
Inicie o Macfleet a partir de Aplicativos
O rastreamento inicia automaticamente

🪟 Windows

Baixe o arquivo .exe para Windows aqui
Clique com o botão direito no arquivo .exe > "Executar como administrador"
Siga o assistente de instalação
Aceite os termos e condições
Permita no Windows Defender se solicitado
Conceda permissões de monitoramento de aplicativo
Inicie o Macfleet a partir do Menu Iniciar
O aplicativo começa o rastreamento automaticamente

🐧 Linux

Baixe o pacote .deb (Ubuntu/Debian) ou .rpm (CentOS/RHEL) aqui
Instale usando seu gerenciador de pacotes
- Ubuntu/Debian: sudo dpkg -i Macfleet-linux.deb
- CentOS/RHEL: sudo rpm -ivh Macfleet-linux.rpm
Permita permissões de acesso X11 se solicitado
Adicione o usuário aos grupos apropriados se necessário
Inicie o Macfleet a partir do menu Aplicativos
O aplicativo começa o rastreamento automaticamente

Nota: Após a instalação em todos os sistemas, faça login com suas credenciais do Macfleet para sincronizar dados com seu painel de controle.