Jamf Nation Community

cmudgeUWF · ‎09-27-2018

Does anyone have experience with getting NoMAD setup with Login? I'm able to get authentication to work for the login window, but each time a new user is created, they're prompted with NoMAD asking for a domain and a realm, which they're not gonna know. I'm hoping to ditch binding entirely but still have the ability for users to use AD creds. Here's the scripts I've built out thus far (this assumes you've installed the base packages and the launch agent):

#!/bin/bash

AD_domain="domain.name.name1"
Realm="DOMAIN.NAME.NAME1"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD LocalPasswordSync -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"


exit 0

#!/bin/bash

AD_domain="domain.name.name1"
BackgroundImage="/wallpaper.jpg"
LoginLogo="/logo.png"
EULA="Loads of EULA text......"
EULA_Title="Usage Agreement"
Placeholder="username@domain.name"

# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'IT Group' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"

# Backup existing security authdb settings
security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak

# Write NoMADLoginAD security authdb mechanisms
security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad

# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then 
    killall -HUP loginwindow
fi

exit 0

I'm trying to figure this out before I create configuration profile (I'm also not entirely sure the best way to go about doing that from this once I'm ready).

jmahlman · ‎09-27-2018

I would definitely move to the configuration profile. If you need help creating one check out ProfileCreator. It's a great tool to create profiles and it has a NoMAD?/NoMAD Login settings helper built in.

You can make one by hand by creating a plist file like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ADDomain</key>
    <string>my.domain</string>
    <key>BackgroundImage</key>
    <string>/path/to/some/image.png</string>
    <key>UsernameFieldPlaceholder</key>
    <string>Something witty</string>
    <key>CreateAdminIfGroupMember</key>
    <array>
        <string>group1</string>
        <string>group2</string>
        <string>group3</string>
    </array>
    <key>LoginLogo</key>
    <string>/path/to/some/logo.png</string>
    <key>LoginScreen</key>
    <true/>
</dict>
</plist>

I created a new config profile in the jamf server and uploaded the plist in the "Custom Settings" payload. The Preference domain is menu.nomad.login.ad

cmudgeUWF · ‎09-27-2018

That tool looks pretty cool. Am I missing something, or does it not have any sort of executable/app in there? I went to use it, and there's simply nothing to use.

jmahlman · ‎09-27-2018

It's in the releases tab at the top of the page.

Here you go! Linky!

mm2270 · ‎09-27-2018

@cmudgeUWF What did you download? I went to the Releases tab and downloaded the latest beta version. The DMG I pulled down has the app in it.

Outside of using something like this, which is cool, you could also look at tools like mcxToProfile.py from Tim Sutton. It hasn't been updated in a while, but that's likely because it hasn't needed one. It's a python script/tool that let's you take a configured plist file on your Mac and turn it into a deployable Configuration Profile. Since you've already got a lot of the commands to write the NoMAD menu values into a plist file, you could just create the plist and make it into a profile with that.

cmudgeUWF · ‎09-27-2018

Guess I'm not well-versed enough on GitHub (or I'm just used to scripts). I see the releases now. Thanks guys. Let me take a look at this real quick to see what I can do.

cmudgeUWF · ‎09-27-2018

Alright, so I built the mobileconfig file and uploaded it to JAMF, but upon attempting to apply it, my test machine failed. I'm not sure why....

cmudgeUWF · ‎10-01-2018

Ok, so I exported my plist on a machine that has a decent operational setup, and added it to a config profile to apply at the user level for NoMAD. However, when NoMAD launches for a new user, it has no configurations at all. I'm stumped.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>ADDomain</key>
        <string>domain.domain.domain</string>
        <key>FirstRunDone</key>
        <true/>
        <key>KerberosRealm</key>
        <string>DOMAIN.DOMAIN.DOMAIN</string>
        <key>LastPasswordWarning</key>
        <real>1296000</real>
        <key>LocalPasswordSync</key>
        <true/>
        <key>SignInWindowOnLaunch</key>
        <true/>
        <key>SignedIn</key>
        <false/>
        <key>UPCAlert</key>
        <true/>
        <key>UseKeychain</key>
        <true/>
com.trusourcelabs.NoMAD.plist

nstrauss · ‎10-01-2018

@cmudgeUWF User level profiles are not recommended in most cases. Try computer level instead. Your profile there looks fine at first glance though I'm not sure why there's an extra line at the bottom with domain.

Spamming my own blog here, but I have a few posts I think you'll find useful.

Using NoMAD Login With Jamf DEP Workflows
Integrating NoMAD and NoLo to Auto Sign In

Let me know if something isn't covered there.

cmudgeUWF · ‎10-01-2018

Yeah I'm still not following why it's not working. I added the following to my login window script:

defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool "$keychain_add" defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "$keychain_add" /usr/local/bin/authchanger -reset -AD

I logged in as a new user, and I'm still getting prompted. There's nothing passed off to NoMAD once logged in. Even after the update://nomad command, I still got nothing.

nstrauss · ‎10-01-2018

@cmudgeUWF Are you including the $keychain_add variable in your script? Otherwise you'll want to run the defaults commands as...

#!/bin/bash

defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool TRUE
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool TRUE

Or you can do...

#!/bin/bash

keychain_add="TRUE"

defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool "$keychain_add"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "$keychain_add"

Can also check that preference domain to see if keys are getting set correctly.

defaults read /Library/Preferences/menu.nomad.login.ad.plist

cmudgeUWF · ‎10-01-2018

I'm redoing my test environment real quick, but this is what the script looks like now in total:

#!/bin/bash

AD_domain="domain.domain1.domain2"
BackgroundImage="/BlueLogo.jpg"
LoginLogo="/logo.png"
EULA="Lots of EULA language"
EULA_Title=" Computing Resources Usage Agreement"
Admin_Groups="<Tech Support, Domain Admins>"
Placeholder="username@domain.domain1"

# Write default AD domain
defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$AD_domain"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$LoginLogo"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULAText "$EULA"
defaults write /Library/Preferences/menu.nomad.login.ad.plist EULATitle "$EULA_Title"
defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins'
defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder "$Placeholder"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeyChainAddNoMAD -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "true"
defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImageAlpha "40"

# Backup existing security authdb settings
#security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak

# Write NoMADLoginAD security authdb mechanisms
#security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad

#Use authchanger
/usr/local/bin/authchanger -reset -AD

# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then 
    killall -HUP loginwindow
fi

exit 0

#!/bin/bash

AD_domain="doamin.domain1.domain2"
Realm="DOMAIN.DOMAIN1.DOMAIN2"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"


exit 0

When I looked at the com.trusourcelabs.NoMAD.plist file in Terminal, it only had 'Realm = "" ' in it. I'll do a fresh test for you to get a little better results.

achristoforatos · ‎06-18-2019

Anyone have information or know where to get it for customizing the nomad login window? I am trying to get the area around the fields to have a background or a different color. I am able to change the full background behind the login window and add a logo, but cannot edit the window itself.

dvasquez · ‎06-26-2019

@achristoforatos

Good stuff here:

GitLab information on NoMAD: https://gitlab.com/orchardandgrove-oss/NoMADLogin-AD/wikis/home

NoMAD build and concepts can be found here from Jamf User Conference: https://www.youtube.com/watch?v=dImloxKIb0o

NoMAD Home: https://nomad.menu/

the information at the links shoudl sum it up for you.

Jamf Nation Community

NoMAD with NoMAD Login