NoMad Login Preferences Mojave

anayat_chowdhur
New Contributor II

Seem to be having an issue with NoMad Login,

We're running Mojave and while I can get preferences to load via the menu.nomad.login.ad plist, things like logo, background etc. all work.

However for the life of me I cannot seem to use the MacOS style login screen. According the documentation the value to set is LoginScreen:YES

here's the plist file I have but the MacOS style login screen will not work.

{
    ADDomain = "company.co.uk";
    CreateAdminIfGroupMember =     (
        "Domain Administrators"
    );
    KeyChainAddNoMAD = 1;
    KeychainCreate = 1;
    LoginScreen = YES;
}
7 REPLIES 7

mm2270
Legendary Contributor III

I have not looked at the documentation because I don't currently use NoMAD Login, but, are you certain its a "YES" and not a boolean true value that's needed for that key? The KeychainAddNoMAD and KeychainCreate are both boolean values as can be seen by their respective 1 values. Maybe the LoginScreen key needs the same thing and the documentation wasn't clear on that?
I would at least give it a try and see.

anayat_chowdhur
New Contributor II

https://gitlab.com/orchardandgrove-oss/NoMADLogin-AD/wikis/Configuration/preferences

This is whats on the wiki:

LoginScreen This key controls the general appearance of the login process. If set to YES then a macOS-style loginscreen will be presented instead of the default loginwindow style.

I've also tried it with 1 but that doesn't seem to work either.

hdsreid
Contributor III

You can use ProfileCreator to make a NoMAD Login profile with appropriate payloads. That is how I currently have mine configured, however we do have a plist as part of the onboarding process for first login. The script to generate that plist achieves the loginscreen with the following line

defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginScreen -bool TRUE

achristoforatos
Contributor II

Would this also work for the createadminuser if I do not want them to be an admin?

npynenberg
Contributor

I am having the same issue. Can't seem to get this setting to function. Other setting changes seem to be respected.

achristoforatos
Contributor II

@npynenberg I created a script that runs at login to change that setting. The initial login user will be an admin, but anything after will be standard.

hdsreid
Contributor III

@npynenberg @achristoforatos do you have an LDAP group of users created that you wish to be admins? we have found that to be the easiest way. we don't want everyone to have admin at account creation by default, only if you are a member of specific LDAP groups that are scoped to allow it. there are pros and cons to this. if you have multiple users on one machine, this will probably solve most issues related to only making sure the correct accounts are granted admin, and this is acceptable in an environment where computers are not assigned directly to a user. if you assign one user per machine, be warned that the user will be granted admin on ANY Mac with NoMAD Login configured on it. This is great if you are scoping help desk accounts so they can log in to any machine as admin, but can be problematic if Janice in sales needs admin rights; adding her to the group is simple enough, but it will give the unintended consequence of allowing her to login as admin on ANY Mac.

as a result, our workflow ends up being the help desk and platform engineers being in the correct LDAP groups for automatic rights on any device (similar to how a Windows enterprise is managed) as these users will need admin rights to provide support to users. everyone else is "standard" by default and can either be grandfathered in as admin if they already were approved on a previous Mac, or put in a request for admin rights. these are granted "manually" (dropping a machine in a policy), but it is a precaution worth taking IMO