Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop Binding your Macs and Use NoMAD Login

Jamf
October 24, 2018

Stop Binding your Macs and Use NoMAD Login

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
Stop Binding your Macs and Use NoMAD Login

Presented by:
Nathaniel Strauss, Shakopee Public Schools

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

Jamf

October 24, 2018
Tweet

More Decks by Jamf

Other Decks in Technology

Transcript

  1. © JAMF Software, LLC Stop Binding Your Macs and Use

    NoMAD Login Agenda: • How we got here • What is NoMAD Login? • Security authorization database and authchanger • Deploying NoMAD Login with Jamf and DEP • Integrating with NoMAD
  2. © JAMF Software, LLC Local Accounts Good, AD Bad Local

    Account Mobile Account Network Account Authority Local Directory Service LDAP LDAP Account Info Local Cached Network LDAP Binding Not Required Required Required
  3. © JAMF Software, LLC Why Local? • About what authority

    controls the keys • Avoid AD plugin • No more keychain issues • AD functionality without binding
  4. © JAMF Software, LLC DEP Setup Assistant Challenges Allows authentication

    to MDM, but… • Can’t force username • Can’t force password • Can’t guarantee either will match existing LDAP or identity management provider
  5. © JAMF Software, LLC Moving to Local with DEP First

    attempt at creating local account using AD attributes # Find UUID and use API call to get XML for computer record from Jamf Pro uuid=$(system_profiler SPHardwareDataType | awk '/Hardware UUID/{print $3}') data=$(curl -su $api_user:$api_pass $api_url/$uuid) # xpath to get birthday LDAP extension attribute birthdate=$(cat $data | xpath "//computer/extension_attributes/extension_attribute" | grep -A2 "<name>birthdate</name>" | awk -F'<value>|</value>' '{print $2}’) # Create local account with default password based on birthdate sysadminctl -addUser $user -fullName $full_name -password $default_password"
  6. © JAMF Software, LLC Enter NoMAD Login • Creates local

    accounts based on AD users • Replaces default login window • Controlled by evaluate mechs • Lives in /Library/Security/SecurityAgentPlugins Login window authorization plugin
  7. © JAMF Software, LLC Evaluate Mechanisms - Default <key>mechanisms</key> <array>

    <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>loginwindow:FDESupport,privileged</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>loginwindow:done</string> </array>
  8. © JAMF Software, LLC Evaluate Mechanisms - NoMAD Login <key>mechanisms</key>

    <array> <string>NoMADLoginAD:CheckAD</string> <string>NoMADLoginAD:EULA</string> <string>NoMADLoginAD:PowerControl,privileged</string> <string>NoMADLoginAD:CreateUser,privileged</string> <string>NoMADLoginAD:DeMobilize,privileged</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>loginwindow:FDESupport,privileged</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>loginwindow:done</string> <string>NoMADLoginAD:EnableFDE,privileged</string> <string>NoMADLoginAD:SierraFixes,privileged</string> <string>NoMADLoginAD:KeychainAdd,privileged</string> </array>
  9. © JAMF Software, LLC Set Preferences with Defaults # Variables

    domain="mydomain.COM" background_image="/Library/Desktop Pictures/High Sierra.jpg” logo="/Library/Application Support/SPS/spslogo.png" # Write default AD domain defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain $domain # Set background image defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage $background_image # Set login window logo defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo $logo
  10. © JAMF Software, LLC Postinstall Script # Variables domain="mydomain.COM" background_image="/Library/Desktop

    Pictures/High Sierra.jpg” logo="/Library/Application Support/SPS/spslogo.png" # Write default AD domain defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain $domain # Set background image defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage $background_image # Set login window logo defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo $logo # Set security authorization database mechanisms with authchanger /usr/local/bin/authchanger -reset -AD # Kill loginwindow process to force NoMAD Login to launch /usr/bin/killall -HUP loginwindow
  11. © JAMF Software, LLC Creating the Package Package consists of

    two items… • NoMADLoginAD.bundle • authchanger binary And post install script… • Set preferences with defaults • Change evaluate mechs • Kill loginwindow to force reload
  12. © JAMF Software, LLC Integrating with NoMAD # Adds a

    NoMAD entry into the login keychain defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool TRUE # Should NoLo create a keychain if none exists defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool TRUE
  13. © JAMF Software, LLC Jamf Connect Paid versions of NoMAD

    and NoMAD Login with Okta support are now…