Help

Demobilize Centrify Accounts with NoMAD

rabbitt
Contributor
Contributor

Posted on ‎12-16-2021 03:17 PM

Purpose: Centrify makes a special account which is not AD bound yet uses their own proprietary authentication mechanism.  Before uninstalling Centrify, use this instruction set to demobilze the account to a standard local account.

  1. Download a copy of NoMAD Login (NoLOAD) from: https://files.nomad.menu/NoMAD-Login-AD.pkg
  2. Install the .pkg file
  3. In terminal, run the following command
    sudo authchanger -reset -preAuth NoMADLoginAD:DeMobilize,privileged
  4. In terminal, run the following command
    sudo defaults write /Library/Preferences/menu.nomad.login.ad.plist DemobilizeUsers -bool TRUE
  5. Log out
  6. Log in.  You’ll see a normal macOS login screen, but the DeMobilize mech is still enabled to work.  The user account is then converted from a Centrify user to a local user.
  7. Confirm by running sudo dscl . read /Users/[testedusername] AuthenticationAuthority
  8. The results should look something like:
    AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2...
  9. and have no reference to LocalCachedUser or Centrify …
    AuthenticationAuthority: ;LocalCachedUser;/CentrifyDC/Default:testedusername
  10. Disable NoLOAD in terminal with the following command:
    sudo authchanger -reset
  11. If desired, uninstall NoLOAD by deleting /Library/Security/SecurityAgentPlugs/NoMADLoginAD.bundle and /usr/local/bin/authchanger and /Library/Preferences/menu.nomad.login.ad.plist

EA to test machines for additional mobile accounts stolen gratuitously from https://www.jamf.com/jamf-nation/discussions/10179/determine-if-an-account-is-a-mobile-or-local-acco...

#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`
 
if [ "$NETACCLIST" == "" ]; then
        echo "<result>No Network Accounts</result>"
else
        echo "<result>$NETACCLIST</result>"
fi
exit 0
6 REPLIES 6

KyleEricson
Valued Contributor II

Posted on ‎12-16-2021 08:55 PM

Thanks @rabbitt You are a gentleman and a scholar!

Read My Blog: https://www.ericsontech.com
0 Kudos

dvasquez
Valued Contributor

Posted on ‎05-11-2022 07:32 AM

Rabbitt, hello. 

You helped me when I was at Rush University when we trialed Jamf Connect. Anyway, I wanted to ask you, on Catalina when running this process I am seeing mixed results. Some go perfectly fine in moving the account to Local Admin and others will not budge. No way no how they are always listed as admin mobile. I have had success on Catalina machines and Big Sur  Machines as we are using this process in production as part of our moving from Centrify.

Furthermore, the EA says there are no network accounts, the secure token commands do not list that the account is tied to Centrify. and after Installing nomad login then removing it and installing Jamf Connect them logging in and removing Centrify all is good, login, auth, menu bar, etc, etc...  Also after upgrading to Big Sur the account is still listed as Admin Mobile. Have you seen this, and are there any other concerns, known bug? We are now in the process of going to production on Jamf connect and wanted to ask you for your advice.  Also as part of this plan, we are upgrading Catalina machines to Big Sur and then to Monterey. 

0 Kudos

rabbitt
Contributor
Contributor
In response to dvasquez

Posted on ‎05-11-2022 09:37 AM

What is showing the account as being a mobile account?  If the Jamf Connect menu bar agent is working and the user can change their local password in System Preferences -> Users and Groups, then they are a local account.

0 Kudos

dvasquez
Valued Contributor

‎05-11-2022 01:56 PM - edited ‎05-11-2022 01:58 PM

The account in the system preferences is showing mobile admin. But yes all the other indicators show the account is local. I am just looking for feedback on if you have seen this before and if it has the account listed as such (mobile admin will be an issue down the line.  Also thanks for getting back to me. 

 

0 Kudos

rabbitt
Contributor
Contributor
In response to dvasquez

Posted on ‎05-11-2022 02:17 PM

Honestly, I’ve not seen this before. There may be changes that have been made by Centrify – I don’t have a customer account myself, so it would definitely be worthwhile to reach out to Centrify support to see if they have any suggestions or documentation on how to convert to a local account short of reproducing a new account in System Preferences.
0 Kudos

dvasquez
Valued Contributor

Posted on ‎05-11-2022 03:01 PM

Maybe. We are using an older version and do not have updated licenses and do not really support it anymore, hence we are moving to Jamf Connect. cannot wait to be done with the tool TBH, but wanted to see if you had seen this interesting situation. Regardless thanks. 

0 Kudos