Does anyone have experience with getting NoMAD setup with Login? I'm able to get authentication to work for the login window, but each time a new user is created, they're prompted with NoMAD asking for a domain and a realm, which they're not gonna know. I'm hoping to ditch binding entirely but still have the ability for users to use AD creds. Here's the scripts I've built out thus far (this assumes you've installed the base packages and the launch agent):
#!/bin/bash
AD_domain="domain.name.name1"
Realm="DOMAIN.NAME.NAME1"
# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD LocalPasswordSync -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
exit 0
#!/bin/bash
AD_domain="domain.name.name1"
BackgroundImage="/wallpaper.jpg"
LoginLogo="/logo.png"
EULA="Loads of EULA text......"
EULA_Title="Usage Agreement"
Placeholder="username@domain.name"
# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'IT Group' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"
# Backup existing security authdb settings
security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak
# Write NoMADLoginAD security authdb mechanisms
security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad
# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then
killall -HUP loginwindow
fi
exit 0
I'm trying to figure this out before I create configuration profile (I'm also not entirely sure the best way to go about doing that from this once I'm ready).
I would definitely move to the configuration profile. If you need help creating one check out ProfileCreator. It's a great tool to create profiles and it has a NoMAD?/NoMAD Login settings helper built in.
You can make one by hand by creating a plist file like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ADDomain</key>
<string>my.domain</string>
<key>BackgroundImage</key>
<string>/path/to/some/image.png</string>
<key>UsernameFieldPlaceholder</key>
<string>Something witty</string>
<key>CreateAdminIfGroupMember</key>
<array>
<string>group1</string>
<string>group2</string>
<string>group3</string>
</array>
<key>LoginLogo</key>
<string>/path/to/some/logo.png</string>
<key>LoginScreen</key>
<true/>
</dict>
</plist>
I created a new config profile in the jamf server and uploaded the plist in the "Custom Settings" payload. The Preference domain is menu.nomad.login.ad
That tool looks pretty cool. Am I missing something, or does it not have any sort of executable/app in there? I went to use it, and there's simply nothing to use.
It's in the releases tab at the top of the page.
Here you go! Linky!
@cmudgeUWF What did you download? I went to the Releases tab and downloaded the latest beta version. The DMG I pulled down has the app in it.
Outside of using something like this, which is cool, you could also look at tools like mcxToProfile.py from Tim Sutton. It hasn't been updated in a while, but that's likely because it hasn't needed one. It's a python script/tool that let's you take a configured plist file on your Mac and turn it into a deployable Configuration Profile. Since you've already got a lot of the commands to write the NoMAD menu values into a plist file, you could just create the plist and make it into a profile with that.
Guess I'm not well-versed enough on GitHub (or I'm just used to scripts). I see the releases now. Thanks guys. Let me take a look at this real quick to see what I can do.
Alright, so I built the mobileconfig file and uploaded it to JAMF, but upon attempting to apply it, my test machine failed. I'm not sure why....
Ok, so I exported my plist on a machine that has a decent operational setup, and added it to a config profile to apply at the user level for NoMAD. However, when NoMAD launches for a new user, it has no configurations at all. I'm stumped.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ADDomain</key>
<string>domain.domain.domain</string>
<key>FirstRunDone</key>
<true/>
<key>KerberosRealm</key>
<string>DOMAIN.DOMAIN.DOMAIN</string>
<key>LastPasswordWarning</key>
<real>1296000</real>
<key>LocalPasswordSync</key>
<true/>
<key>SignInWindowOnLaunch</key>
<true/>
<key>SignedIn</key>
<false/>
<key>UPCAlert</key>
<true/>
<key>UseKeychain</key>
<true/>
com.trusourcelabs.NoMAD.plist
@cmudgeUWF User level profiles are not recommended in most cases. Try computer level instead. Your profile there looks fine at first glance though I'm not sure why there's an extra line at the bottom with domain.
Spamming my own blog here, but I have a few posts I think you'll find useful.
Using NoMAD Login With Jamf DEP Workflows
Integrating NoMAD and NoLo to Auto Sign In
Let me know if something isn't covered there.
Yeah I'm still not following why it's not working. I added the following to my login window script:
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool "$keychain_add"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "$keychain_add"
/usr/local/bin/authchanger -reset -AD
I logged in as a new user, and I'm still getting prompted. There's nothing passed off to NoMAD once logged in. Even after the update://nomad command, I still got nothing.
@cmudgeUWF Are you including the $keychain_add variable in your script? Otherwise you'll want to run the defaults commands as...
#!/bin/bash
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool TRUE
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool TRUE
Or you can do...
#!/bin/bash
keychain_add="TRUE"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool "$keychain_add"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "$keychain_add"
Can also check that preference domain to see if keys are getting set correctly.
defaults read /Library/Preferences/menu.nomad.login.ad.plist
I'm redoing my test environment real quick, but this is what the script looks like now in total:
#!/bin/bash
AD_domain="domain.domain1.domain2"
BackgroundImage="/BlueLogo.jpg"
LoginLogo="/logo.png"
EULA="Lots of EULA language"
EULA_Title=" Computing Resources Usage Agreement"
Admin_Groups="<Tech Support, Domain Admins>"
Placeholder="username@domain.domain1"
# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeyChainAddNoMAD -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImageAlpha "40"
# Backup existing security authdb settings
#security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak
# Write NoMADLoginAD security authdb mechanisms
#security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad
#Use authchanger
/usr/local/bin/authchanger -reset -AD
# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then
killall -HUP loginwindow
fi
exit 0
#!/bin/bash
AD_domain="doamin.domain1.domain2"
Realm="DOMAIN.DOMAIN1.DOMAIN2"
# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"
exit 0
When I looked at the com.trusourcelabs.NoMAD.plist file in Terminal, it only had 'Realm = "" ' in it. I'll do a fresh test for you to get a little better results.
Anyone have information or know where to get it for customizing the nomad login window? I am trying to get the area around the fields to have a background or a different color. I am able to change the full background behind the login window and add a logo, but cannot edit the window itself.
@achristoforatos
Good stuff here:
GitLab information on NoMAD: https://gitlab.com/orchardandgrove-oss/NoMADLogin-AD/wikis/home
NoMAD build and concepts can be found here from Jamf User Conference: https://www.youtube.com/watch?v=dImloxKIb0o
NoMAD Home: https://nomad.menu/
the information at the links shoudl sum it up for you.
