Skip to main content
Question

Demobilize Centrify Accounts with NoMAD

  • December 16, 2021
  • 6 replies
  • 50 views
rabbitt
Forum|alt.badge.img+17

Purpose: Centrify makes a special account which is not AD bound yet uses their own proprietary authentication mechanism.  Before uninstalling Centrify, use this instruction set to demobilze the account to a standard local account.

  1. Download a copy of NoMAD Login (NoLOAD) from: https://files.nomad.menu/NoMAD-Login-AD.pkg
  2. Install the .pkg file
  3. In terminal, run the following command
    sudo authchanger -reset -preAuth NoMADLoginAD:DeMobilize,privileged
  4. In terminal, run the following command
    sudo defaults write /Library/Preferences/menu.nomad.login.ad.plist DemobilizeUsers -bool TRUE
  5. Log out
  6. Log in.  You’ll see a normal macOS login screen, but the DeMobilize mech is still enabled to work.  The user account is then converted from a Centrify user to a local user.
  7. Confirm by running sudo dscl . read /Users/[testedusername] AuthenticationAuthority
  8. The results should look something like:
    AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2...
  9. and have no reference to LocalCachedUser or Centrify …
    AuthenticationAuthority: ;LocalCachedUser;/CentrifyDC/Default:testedusername
  10. Disable NoLOAD in terminal with the following command:
    sudo authchanger -reset
  11. If desired, uninstall NoLOAD by deleting /Library/Security/SecurityAgentPlugs/NoMADLoginAD.bundle and /usr/local/bin/authchanger and /Library/Preferences/menu.nomad.login.ad.plist

EA to test machines for additional mobile accounts stolen gratuitously from https://www.jamf.com/jamf-nation/discussions/10179/determine-if-an-account-is-a-mobile-or-local-account

#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`
 
if [ "$NETACCLIST" == "" ]; then
        echo "<result>No Network Accounts</result>"
else
        echo "<result>$NETACCLIST</result>"
fi
exit 0

      6 replies

      KyleEricson
      Forum|alt.badge.img+17
      • KyleEricson
      • Valued Contributor
      • December 17, 2021

      Thanks @rabbitt You are a gentleman and a scholar!

      Read My Blog: https://www.ericsontech.com
      dvasquez
      Forum|alt.badge.img+16
      • dvasquez
      • Valued Contributor
      • May 11, 2022

      Rabbitt, hello. 

      You helped me when I was at Rush University when we trialed Jamf Connect. Anyway, I wanted to ask you, on Catalina when running this process I am seeing mixed results. Some go perfectly fine in moving the account to Local Admin and others will not budge. No way no how they are always listed as admin mobile. I have had success on Catalina machines and Big Sur  Machines as we are using this process in production as part of our moving from Centrify.

      Furthermore, the EA says there are no network accounts, the secure token commands do not list that the account is tied to Centrify. and after Installing nomad login then removing it and installing Jamf Connect them logging in and removing Centrify all is good, login, auth, menu bar, etc, etc...  Also after upgrading to Big Sur the account is still listed as Admin Mobile. Have you seen this, and are there any other concerns, known bug? We are now in the process of going to production on Jamf connect and wanted to ask you for your advice.  Also as part of this plan, we are upgrading Catalina machines to Big Sur and then to Monterey. 

      rabbitt
      Forum|alt.badge.img+17
      • rabbitt
      • Author
      • Valued Contributor
      • May 11, 2022

      Rabbitt, hello. 

      You helped me when I was at Rush University when we trialed Jamf Connect. Anyway, I wanted to ask you, on Catalina when running this process I am seeing mixed results. Some go perfectly fine in moving the account to Local Admin and others will not budge. No way no how they are always listed as admin mobile. I have had success on Catalina machines and Big Sur  Machines as we are using this process in production as part of our moving from Centrify.

      Furthermore, the EA says there are no network accounts, the secure token commands do not list that the account is tied to Centrify. and after Installing nomad login then removing it and installing Jamf Connect them logging in and removing Centrify all is good, login, auth, menu bar, etc, etc...  Also after upgrading to Big Sur the account is still listed as Admin Mobile. Have you seen this, and are there any other concerns, known bug? We are now in the process of going to production on Jamf connect and wanted to ask you for your advice.  Also as part of this plan, we are upgrading Catalina machines to Big Sur and then to Monterey. 


      What is showing the account as being a mobile account?  If the Jamf Connect menu bar agent is working and the user can change their local password in System Preferences -> Users and Groups, then they are a local account.

      dvasquez
      Forum|alt.badge.img+16
      • dvasquez
      • Valued Contributor
      • May 11, 2022

      The account in the system preferences is showing mobile admin. But yes all the other indicators show the account is local. I am just looking for feedback on if you have seen this before and if it has the account listed as such (mobile admin will be an issue down the line.  Also thanks for getting back to me. 

       

      rabbitt
      Forum|alt.badge.img+17
      • rabbitt
      • Author
      • Valued Contributor
      • May 11, 2022

      The account in the system preferences is showing mobile admin. But yes all the other indicators show the account is local. I am just looking for feedback on if you have seen this before and if it has the account listed as such (mobile admin will be an issue down the line.  Also thanks for getting back to me. 

       


      Honestly, I’ve not seen this before. There may be changes that have been made by Centrify – I don’t have a customer account myself, so it would definitely be worthwhile to reach out to Centrify support to see if they have any suggestions or documentation on how to convert to a local account short of reproducing a new account in System Preferences.
      dvasquez
      Forum|alt.badge.img+16
      • dvasquez
      • Valued Contributor
      • May 11, 2022

      Maybe. We are using an older version and do not have updated licenses and do not really support it anymore, hence we are moving to Jamf Connect. cannot wait to be done with the tool TBH, but wanted to see if you had seen this interesting situation. Regardless thanks. 

      Terms & ConditionsCookie settingsAccessibility statement