Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

NoMad Login Setup for beginner

Hello Jamfnation!

I just got back to work from JNUC 2018 and I'm very excited to put into use all the new things I learned.

I manage a small fleet of 25 MacBooks, this is expected to double next year. We're using DEP to enroll our machines but would like to stop binding to AD and start using NoMad for AD authentication and local account management. Now there are a few tutorials and different ways to do this.

Would anyone recommend a specific "simple" way of doing this, or point me in the right direction to get started.

Thanks in advance!

Like Comment
Order by:
SOLVED Posted: by JSilin

Is this article what you're looking for?
Using NoMAD Login With Jamf DEP Workflows

SOLVED Posted: by chris.miller

Nathaniel gave a great talk on this at JNUC. That article got me up and running pretty quickly.

SOLVED Posted: by dmitchell

I am reading this article but I am still so confused. I am not sure how to package it back up to deploy and do not really understand how to put my own image in here and add additional config like EULA and File Vault for example.

SOLVED Posted: by J.Martinez

Yeah same here. I tried a few things to get the post install configuration in the package, but so far no luck.

SOLVED Posted: by sshort

Our org is looking at Nomad Login as well, I think a lot of the kickoff "when should this get configured" stuff will be made a lot simpler when Jamf Pro 10.9 is released. That will have the AwaitConfiguration support so all the Nomad Login stuff gets handled during Setup Assistant before the user ever sees the login screen. I think Jamf is calling it "Package Deployment via PreStage.

SOLVED Posted: by achristoforatos

Anyone able to get nomad working with pre stage enrollment yet?

SOLVED Posted: by artrathke

I know it supports Azure, but I can't figure out how to piece it all together. I have found this article, but there are too many things in it that I don't understand.

I downloaded the files that are linked, but I'm not sure about how to get the plist files. I don't know how to get Jamf Connect to connect to our company's Azure AD.

It would be very helpful to have some kind of tutorial or walk-through to show how to login and sync to Azure AD.

SOLVED Posted: by riverajo

Jamf provided the following admin guide:
which indicates that you need to speak with your account rep to get the plist files and product license keys. So once you have those, you can move forward with the process.

I am more interested in just using Nomad for deploying and Login+. Currently JAMF announced it would charge $24 per workstation that will use the Nomad Login app. That price is a bit out of scope for my organization at the moment, at lease for just logging in.

SOLVED Posted: by PaulHazelden

I deploy NoMAD and NoMAD Login to my Macs in the following way...

Take the 2 installer packages and put them in a folder, Which I then compress into a .tar.gz archive. I then put this into Composer. Remember with .tar.gz to cd to the folder where you have the files first, then make the archive.

Then I give it a Post install Shell script.....

## postinstall


# What folder name is being used

# Uncompressing the Installers
# Move to location
cd /private/var/csg/Install/
# Uncompress the archive
tar -zxvf "$csgfile".tar.gz

# ---------------------------------------------------//------------------------------------------------------------

# Install the pkg files found in a temp location

for PKG in $(ls "/private/var/csg/Install/$csgfile/" | grep "pkg$")
/usr/sbin/installer -pkg /private/var/csg/Install/"$csgfile"/"$PKG" -tgt / -allowUntrusted
# Then it will remove the installers
rm -Rf /private/var/csg/Install/"$csgfile"/"$PKG"

# ---------------------------------------------------//------------------------------------------------------------
#I remove any old existing ones it makes changes easier
rm -Rf /Library/Preferences/
mkdir /var/db/NoMADLogin/
# EULA="Lots of EULA language"
# EULA_Title=" Computing Resources Usage Agreement"
# EULA_Path="/var/db/NoMADLogin/"
# Admin_Groups="<Tech Support, Domain Admins>"
Placeholder="username@YOUR AD SERVER"

# Write default AD domain
defaults write /Library/Preferences/ ADDomain "$AD_domain"
defaults write /Library/Preferences/ BackgroundImage "$BackgroundImage"
defaults write /Library/Preferences/ LoginLogo "$LoginLogo"
defaults write /Library/Preferences/ EULAText "$EULA"
defaults write /Library/Preferences/ EULATitle "$EULA_Title"
defaults write /Library/Preferences/ EULAPath "$EULA_Path"
defaults write /Library/Preferences/ CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins'
defaults write /Library/Preferences/ UsernameFieldPlaceholder "$Placeholder"
defaults write /Library/Preferences/ KeyChainAddNoMAD -bool "true"
defaults write /Library/Preferences/ KeychainCreate -bool "true"
defaults write /Library/Preferences/ BackgroundImageAlpha "40"

# Backup existing security authdb settings
security authorizationdb read system.login.console > /private/tmp/evaluate-mechanisms/console.bak

# Write NoMADLoginAD security authdb mechanisms
security authorizationdb write system.login.console < /private/tmp/evaluate-mechanisms/console-ad

#Use authchanger
/usr/local/bin/authchanger -reset -AD

# Remove the folder and the archive
rm -Rf /private/var/csg/Install/"$csgfile"
rm -Rf /private/var/csg/Install/"$csgfile".tar.gz

# Find loginwindow processes and kill if any exist
if pgrep loginwindow; then 
    killall -HUP loginwindow

exit 0      ## Success
exit 1      ## Failure

When this completes it will kill the loginwindow and return the Mac to the login screen.
You can add in composer the images you want, just put them somewhere they can be accessed. Mine are pushed out by another script, but that is just because I was pushing out desktop pictures this way and it was easy to add to them.

I also have a login script that runs as the user and it has...

AD_domain="your ad server"

# Write default AD domain
defaults write com.trusourcelabs.NoMAD ADDomain -string "$AD_domain"
defaults write com.trusourcelabs.NoMAD KerberosRealm -string "$Realm"
defaults write com.trusourcelabs.NoMAD UseKeychain -bool "true"
defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch -bool "true"
defaults write com.trusourcelabs.NoMAD UPCAlert -bool "true"
defaults write com.trusourcelabs.NoMAD UseKeychainPrompt -bool "true"

This populates the NoMAD app for the user to be able to sign in. I am thinking of adding this script in to the first one, but making it set up the User Templates. This way every new account that logs in will get the plist by default, and not have it set on every login.

The only other thing we do and it is dependant on your network setup. In DHCP the AD server is in there as Domain Name server and Domain Name. It doesn't work without this. This gets pushed out by the DHCP server, along with our other DNS servers.

Both of these plists need to be in place.

This works for me, hope it helps you.

SOLVED Posted: by nikjamf

Is that works if you do not have DEP, and the user account is created with the Administrative rights and permissions?