Stop Binding your Macs and Use NoMAD Login

Transcript

1. None

2. © JAMF Software, LLC Nathaniel Strauss IT Manager Shakopee Public

   Schools

3. © JAMF Software, LLC Stop Binding Your Macs and Use

   NoMAD Login Agenda: • How we got here • What is NoMAD Login? • Security authorization database and authchanger • Deploying NoMAD Login with Jamf and DEP • Integrating with NoMAD

4. © JAMF Software, LLC Local Accounts Good, AD Bad Local

   Account Mobile Account Network Account Authority Local Directory Service LDAP LDAP Account Info Local Cached Network LDAP Binding Not Required Required Required

5. © JAMF Software, LLC Why Local? • About what authority

   controls the keys • Avoid AD plugin • No more keychain issues • AD functionality without binding

6. © JAMF Software, LLC DEP Setup Assistant Challenges Allows authentication

   to MDM, but… • Can’t force username • Can’t force password • Can’t guarantee either will match existing LDAP or identity management provider

7. © JAMF Software, LLC

8. © JAMF Software, LLC

9. © JAMF Software, LLC Moving to Local with DEP First

   attempt at creating local account using AD attributes # Find UUID and use API call to get XML for computer record from Jamf Pro uuid=$(system_profiler SPHardwareDataType | awk '/Hardware UUID/{print $3}') data=$(curl -su $api_user:$api_pass $api_url/$uuid) # xpath to get birthday LDAP extension attribute birthdate=$(cat $data | xpath "//computer/extension_attributes/extension_attribute" | grep -A2 "<name>birthdate</name>" | awk -F'<value>|</value>' '{print $2}’) # Create local account with default password based on birthdate sysadminctl -addUser $user -fullName $full_name -password $default_password"

10. © JAMF Software, LLC Enter NoMAD Login • Creates local

    accounts based on AD users • Replaces default login window • Controlled by evaluate mechs • Lives in /Library/Security/SecurityAgentPlugins Login window authorization plugin

11. © JAMF Software, LLC Evaluate Mechanisms $ security authorizationdb read

    system.login.console $ authchanger -print

12. © JAMF Software, LLC Evaluate Mechanisms - Default <key>mechanisms</key> <array>

    <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>loginwindow:FDESupport,privileged</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>loginwindow:done</string> </array>

13. © JAMF Software, LLC Evaluate Mechanisms - NoMAD Login <key>mechanisms</key>

    <array> <string>NoMADLoginAD:CheckAD</string> <string>NoMADLoginAD:EULA</string> <string>NoMADLoginAD:PowerControl,privileged</string> <string>NoMADLoginAD:CreateUser,privileged</string> <string>NoMADLoginAD:DeMobilize,privileged</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>loginwindow:FDESupport,privileged</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>loginwindow:done</string> <string>NoMADLoginAD:EnableFDE,privileged</string> <string>NoMADLoginAD:SierraFixes,privileged</string> <string>NoMADLoginAD:KeychainAdd,privileged</string> </array>

14. © JAMF Software, LLC Set Preferences with Defaults # Variables

    domain="mydomain.COM" background_image="/Library/Desktop Pictures/High Sierra.jpg” logo="/Library/Application Support/SPS/spslogo.png" # Write default AD domain defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain $domain # Set background image defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage $background_image # Set login window logo defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo $logo

15. © JAMF Software, LLC Postinstall Script # Variables domain="mydomain.COM" background_image="/Library/Desktop

    Pictures/High Sierra.jpg” logo="/Library/Application Support/SPS/spslogo.png" # Write default AD domain defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain $domain # Set background image defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage $background_image # Set login window logo defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo $logo # Set security authorization database mechanisms with authchanger /usr/local/bin/authchanger -reset -AD # Kill loginwindow process to force NoMAD Login to launch /usr/bin/killall -HUP loginwindow

16. © JAMF Software, LLC Creating the Package Package consists of

    two items… • NoMADLoginAD.bundle • authchanger binary And post install script… • Set preferences with defaults • Change evaluate mechs • Kill loginwindow to force reload

17. © JAMF Software, LLC Enrollment Complete Policy

18. © JAMF Software, LLC PreStage Enrollment Settings

19. © JAMF Software, LLC

20. © JAMF Software, LLC Integrating with NoMAD # Adds a

    NoMAD entry into the login keychain defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool TRUE # Should NoLo create a keychain if none exists defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool TRUE

21. © JAMF Software, LLC

22. © JAMF Software, LLC Jamf Connect Paid versions of NoMAD

    and NoMAD Login with Okta support are now…

23. © JAMF Software, LLC Resources • http://bit.ly/NoLo-JNUC2018 • https://github.com/nstrauss

24. © JAMF Software, LL THANK YOU!