NoMad Login Setup for beginner

J_Martinez
New Contributor III

Hello Jamfnation!

I just got back to work from JNUC 2018 and I'm very excited to put into use all the new things I learned.

I manage a small fleet of 25 MacBooks, this is expected to double next year. We're using DEP to enroll our machines but would like to stop binding to AD and start using NoMad for AD authentication and local account management. Now there are a few tutorials and different ways to do this.

Would anyone recommend a specific "simple" way of doing this, or point me in the right direction to get started.

Thanks in advance!

1 ACCEPTED SOLUTION

PaulHazelden
Valued Contributor

I deploy NoMAD and NoMAD Login to my Macs in the following way...

Take the 2 installer packages and put them in a folder, Which I then compress into a .tar.gz archive. I then put this into Composer. Remember with .tar.gz to cd to the folder where you have the files first, then make the archive.

Then I give it a Post install Shell script.....

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# What folder name is being used
csgfile="NoMAD"

# Uncompressing the Installers
# Move to location
cd /private/var/csg/Install/
# Uncompress the archive
tar -zxvf "$csgfile".tar.gz

# ---------------------------------------------------//------------------------------------------------------------

# Install the pkg files found in a temp location

for PKG in $(ls "/private/var/csg/Install/$csgfile/" | grep "pkg$")
do
/usr/sbin/installer -pkg /private/var/csg/Install/"$csgfile"/"$PKG" -tgt / -allowUntrusted
# Then it will remove the installers
rm -Rf /private/var/csg/Install/"$csgfile"/"$PKG"
done

# ---------------------------------------------------//------------------------------------------------------------
#I remove any old existing ones it makes changes easier
rm -Rf /Library/Preferences/menu.nomad.login.ad.plist
mkdir /var/db/NoMADLogin/
AD_domain="YOUR AD SERVER NAME"
BackgroundImage="PATH TO YOUR CHOSEN BACKGROUND IMAGE"
LoginLogo="PATH TO YOUR CHOSEN LOGO IMAGE"
# EULA="Lots of EULA language"
# EULA_Title=" Computing Resources Usage Agreement"
# EULA_Path="/var/db/NoMADLogin/"
# Admin_Groups="<Tech Support, Domain Admins>"
Placeholder="username@YOUR AD SERVER"

# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAPath "$EULA_Path"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeyChainAddNoMAD -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImageAlpha "40"

# Backup existing security authdb settings
security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak

# Write NoMADLoginAD security authdb mechanisms
security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad

#Use authchanger
/usr/local/bin/authchanger -reset -AD

# Remove the folder and the archive
rm -Rf /private/var/csg/Install/"$csgfile"
rm -Rf /private/var/csg/Install/"$csgfile".tar.gz

# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then 
    killall -HUP loginwindow
fi

exit 0      ## Success
exit 1      ## Failure

When this completes it will kill the loginwindow and return the Mac to the login screen.
You can add in composer the images you want, just put them somewhere they can be accessed. Mine are pushed out by another script, but that is just because I was pushing out desktop pictures this way and it was easy to add to them.

I also have a login script that runs as the user and it has...

AD_domain="your ad server"
Realm="YOUR AD SERVER"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"

This populates the NoMAD app for the user to be able to sign in. I am thinking of adding this script in to the first one, but making it set up the User Templates. This way every new account that logs in will get the plist by default, and not have it set on every login.

The only other thing we do and it is dependant on your network setup. In DHCP the AD server is in there as Domain Name server and Domain Name. It doesn't work without this. This gets pushed out by the DHCP server, along with our other DNS servers.

Both of these plists need to be in place.

This works for me, hope it helps you.
Paul

View solution in original post

14 REPLIES 14

Just_Jack
Contributor

Is this article what you're looking for?
Using NoMAD Login With Jamf DEP Workflows

chris_miller
Contributor

Nathaniel gave a great talk on this at JNUC. That article got me up and running pretty quickly.

dmitchell
Contributor

I am reading this article but I am still so confused. I am not sure how to package it back up to deploy and do not really understand how to put my own image in here and add additional config like EULA and File Vault for example.

J_Martinez
New Contributor III

Yeah same here. I tried a few things to get the post install configuration in the package, but so far no luck.

sshort
Valued Contributor

Our org is looking at Nomad Login as well, I think a lot of the kickoff "when should this get configured" stuff will be made a lot simpler when Jamf Pro 10.9 is released. That will have the AwaitConfiguration support so all the Nomad Login stuff gets handled during Setup Assistant before the user ever sees the login screen. I think Jamf is calling it "Package Deployment via PreStage.

achristoforatos
Contributor II

Anyone able to get nomad working with pre stage enrollment yet?

artrathke
New Contributor II

I know it supports Azure, but I can't figure out how to piece it all together. I have found this article, but there are too many things in it that I don't understand. https://www.jamf.com/jamf-nation/articles/610/deploying-jamf-connect

I downloaded the files that are linked, but I'm not sure about how to get the plist files. I don't know how to get Jamf Connect to connect to our company's Azure AD.

It would be very helpful to have some kind of tutorial or walk-through to show how to login and sync to Azure AD.

riverajo
New Contributor II

Jamf provided the following admin guide: https://www.jamf.com/jamf-nation/articles/610/deploying-jamf-connect
which indicates that you need to speak with your account rep to get the plist files and product license keys. So once you have those, you can move forward with the process.

I am more interested in just using Nomad for deploying and Login+. Currently JAMF announced it would charge $24 per workstation that will use the Nomad Login app. That price is a bit out of scope for my organization at the moment, at lease for just logging in.

PaulHazelden
Valued Contributor

I deploy NoMAD and NoMAD Login to my Macs in the following way...

Take the 2 installer packages and put them in a folder, Which I then compress into a .tar.gz archive. I then put this into Composer. Remember with .tar.gz to cd to the folder where you have the files first, then make the archive.

Then I give it a Post install Shell script.....

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# What folder name is being used
csgfile="NoMAD"

# Uncompressing the Installers
# Move to location
cd /private/var/csg/Install/
# Uncompress the archive
tar -zxvf "$csgfile".tar.gz

# ---------------------------------------------------//------------------------------------------------------------

# Install the pkg files found in a temp location

for PKG in $(ls "/private/var/csg/Install/$csgfile/" | grep "pkg$")
do
/usr/sbin/installer -pkg /private/var/csg/Install/"$csgfile"/"$PKG" -tgt / -allowUntrusted
# Then it will remove the installers
rm -Rf /private/var/csg/Install/"$csgfile"/"$PKG"
done

# ---------------------------------------------------//------------------------------------------------------------
#I remove any old existing ones it makes changes easier
rm -Rf /Library/Preferences/menu.nomad.login.ad.plist
mkdir /var/db/NoMADLogin/
AD_domain="YOUR AD SERVER NAME"
BackgroundImage="PATH TO YOUR CHOSEN BACKGROUND IMAGE"
LoginLogo="PATH TO YOUR CHOSEN LOGO IMAGE"
# EULA="Lots of EULA language"
# EULA_Title=" Computing Resources Usage Agreement"
# EULA_Path="/var/db/NoMADLogin/"
# Admin_Groups="<Tech Support, Domain Admins>"
Placeholder="username@YOUR AD SERVER"

# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAPath "$EULA_Path"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeyChainAddNoMAD -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImageAlpha "40"

# Backup existing security authdb settings
security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak

# Write NoMADLoginAD security authdb mechanisms
security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad

#Use authchanger
/usr/local/bin/authchanger -reset -AD

# Remove the folder and the archive
rm -Rf /private/var/csg/Install/"$csgfile"
rm -Rf /private/var/csg/Install/"$csgfile".tar.gz

# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then 
    killall -HUP loginwindow
fi

exit 0      ## Success
exit 1      ## Failure

When this completes it will kill the loginwindow and return the Mac to the login screen.
You can add in composer the images you want, just put them somewhere they can be accessed. Mine are pushed out by another script, but that is just because I was pushing out desktop pictures this way and it was easy to add to them.

I also have a login script that runs as the user and it has...

AD_domain="your ad server"
Realm="YOUR AD SERVER"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"

This populates the NoMAD app for the user to be able to sign in. I am thinking of adding this script in to the first one, but making it set up the User Templates. This way every new account that logs in will get the plist by default, and not have it set on every login.

The only other thing we do and it is dependant on your network setup. In DHCP the AD server is in there as Domain Name server and Domain Name. It doesn't work without this. This gets pushed out by the DHCP server, along with our other DNS servers.

Both of these plists need to be in place.

This works for me, hope it helps you.
Paul

nikjamf
New Contributor III

Is that works if you do not have DEP, and the user account is created with the Administrative rights and permissions?

itthings
New Contributor II

@PaulHazelden When putting the newly created tar.gz with the installer packages into composer are you then building it into a pkg file to then upload to Jamf?

Apologies if it obvious, this is all new to me so trying to get this setup initially for testing.

Thanks
Parm

PaulHazelden
Valued Contributor

@itthings Yes the tar.gz goes into composer, and then the postinstall script gets added to Composer. You click on the arrow to expand it and will get 3 folders showing, click the arrow on Scripts and nothing is there, right click on Scripts and it will give 2 options, go for Add Shell Script and then Postinstall. You will get a post install script added to the Scripts folder. Put your script in the middle of the provided Postinstall script.
A quick note here, I like to tab my scripts out to make loops etc easier to read, don't do that in these Post install scripts, they will fail if you do.
Remember to click off of the Scripts folder and save the script (you can also cmd s to save). Then build a package from Composer.
Upload the package to your server and make a policy for it.
What then happens is Jamf will install the tar.gz in its location, then the post install script will launch and run its actions. Finally the package will report success back to the Jamf server.

wrinks
New Contributor II

How do you add the tar.gz file to composer? I'm unable to drag and drop it into Jamf Composer.

PaulHazelden
Valued Contributor

Drag it to the left hand column in Composer. It will make a new entry in the top of the column. Then click on it and check the path to the file is correct.