NoMAD configuration

jmandler
New Contributor III

Hello,

I'm trying to configure NoMAD through Jamf for all of the machines I run, but I'm running into a snag since the config has to be in the local users' home directory and I'm hoping someone here can provide some insight.

I found a login script from a user (Thanks @PaulHazelden) last year which is listed here:

AD_domain="your ad server"
Realm="YOUR AD SERVER"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"

My problem is that scripting this through Jamf results in the defaults command writing to the root folder rather than the Users'.

I tried prepending each line with "sudo -u $USER" and expanding the plist location to /Users/$USER/Library/Preferences/com.trusourcelabs.NoMAD but they are still writing to the root user folder since the user running the command is root.

My next approach was to write a for loop and have it run against all of the directories in /Users:

for DIR in $(find /Users -maxdepth 1 -type d)
do
defaults write "$DIR"/Library/Preferences/com.trusourcelabs.NoMAD.plist ADDomain -string "$AD_domain"
done

with all of the same plist entries in the original script.

This is writing to the correct plists for all of the users, but I have to run a chmod o+rwx on the plist after the fact. It is also creating some new folders in /Users for 2 reasons:
1. The find command returns /Users as one of the directories, so the defaults command is writing to /Users/Library...
2. If any user folders have a space (ie Deleted Users), that space is carried into the command regardless of quotes used and creates a folder for the first half (ie Deleted).

Hoping that some of you scripting geniuses who haven't been staring at this for two days like I have would have a solution to my problem.

Thanks!

1 ACCEPTED SOLUTION

NowAllTheTime
Contributor III

I recommend you create a plist on your machine then upload it as a custom setting in a configuration profile, and then deploy that as a Computer Level configuration profile. This way the settings are persistently enforced across all users of the machine, and you don't have to worry about scripting out any defaults commands. This is how we've been doing it since summer 2018 and it works great.

View solution in original post

10 REPLIES 10

Samherren
New Contributor II

We are having the same problem, would love to know what you find out!

NowAllTheTime
Contributor III

I recommend you create a plist on your machine then upload it as a custom setting in a configuration profile, and then deploy that as a Computer Level configuration profile. This way the settings are persistently enforced across all users of the machine, and you don't have to worry about scripting out any defaults commands. This is how we've been doing it since summer 2018 and it works great.

View solution in original post

PaulHazelden
Contributor III

Hi
The first bit, I add as a run once to a user login script. This script runs every time a user logs in, and there are a few bits of it that I run the first time the script runs. Then next time the script runs that bit is missed out. I set a variable in a hidden file in each users account, and check it. If it is set it will then miss the section, if not then it will run the section. Later you can always delete the variable file and it will re-run the script section.

Running something for each user account found in Users.

# Find local accounts on the Mac
localaccounts=$(ls -l /Users| /usr/bin/grep -viE '(shared|admin|Guest|.DS_Store|.localized)' | /usr/bin/awk '{print $9}')

This will set $localaccounts to be populated with a list excluding "shared, admin, Guest, .DS_Store, .localized". Be warned excluding admin, will also exclude administrator.
Then I use

 for eachaccount in $localaccounts
do
# Task to complete
done

To avoid Spaces being a pain use quotes
"$eachaccount"

Hope this helps the scripting blues

sharriston
Contributor II

Have you looked at ProfileCreator it has a great gui for NoMAD otions and once you set them just export as a plist and upload to a config profile.

Samherren
New Contributor II

Thank you so much for all your help! I cannot wait to try these out!

JarvisUno
Contributor II

@sharrington How do you prevent, JAMF from ripping out the settings for NoMAD when uploading?

sharriston
Contributor II

So once you have all the payloads created go to the share button and if you click on the down arrow that appears there is an option to export as a plist. Once it exports as a plist just upload it to the Custom Configurations payload of a Jamf config profile.

JarvisUno
Contributor II

@sharriston So currently, I have a policy to Install NoMAD, and then I have to push out the config it's sloppy wish there was a all in one solution.

sharriston
Contributor II

So my NoMAD config profile is installed at enrollment. It’s part of my prestage.

jmandler
New Contributor III

@JarvisUno My solution to the sloppy nature was to create a smart group that detected if NoMAD is installed. I run a policy that installs NoMAD and NoLo and scope that as needed. I have a separate configuration profile scoped to the smart group which configures everything.