Jamf has decided to archive the NoMAD repos on GitHub. Going forward they aren’t going to receive any updates.
While they are read-only, they aren’t being deleted. That means that anyone who wants to fork and use the code is welcome to do so. Everything remains MIT licensed and open source.
The projects are still here and still open source, they just won’t be maintained by Jamf. Any existing issues or PRs have been closed.
You can see the official announcement on the Jamf Blog.
There is still an active user community on the MacAdmins Slack nomad channel.
As always, have fun and read the man pages.
macshome
Hi everyone! You have found your way to the repo for NoMAD Login AD, or NoLoAD for short. This project can be seen as a companion to our other AD authentication product for macOS, NoMAD. You can use either one independently from each other, and both contain all the bits and pieces you need to talk to AD.
NoLoAD is a replacement login window for macOS 10.12 and higher. It allows you to login to a Mac using Active Directory accounts, without the need to bind the Mac to AD and suffer all the foibles that brings.
The current production version of NoLoAD is 1.4.0
For those of you that are new to NoLo, the basic features are:
PasswordOverwriteSilent
a Boolean to determine if the password should be silently overwritten when the AD authentication succeeds, should be used in conjunction with DenyLocal
.ManageSecureTokens
a Boolean to determine if the SecureToken management capabilites should be enabled. This utilizes a service account which can be modified from default using the below optional preferences.SecureTokenManagementEnableOnlyAdminUsers
a Boolean to determine if the SecureToken service account should only enable administrative users created with NoMAD Login.SecureTokenManagementIconPath
a String to determine the path of the icon to be used for the user, default is /Library/Security/SecurityAgentPlugins/NoMADLoginAD.bundle/Contents/Resources/NoMADFDEIcon.png
SecureTokenManagementOnlyEnableFirstUser
a Boolean to determine if the NoMAD Login should only enable the first user that is eligable for a SecureToken, and delete the service account afterwards.SecureTokenManagementFullName
a String to define a custom Full Name for the SecureToken service account, default is NoMAD Login
SecureTokenManagementUID
an Integer or String to define a custom UID for the SecureToken service account, default is 400
SecureTokenManagementPasswordLocation
a String to define a custom password storage location for the SecureToken service account password, default is /var/db/.nomadLoginSecureTokenPassword
. NOTE: use printf
to write to the file and not echo
SecureTokenManagementPasswordLength
an Integer to define a custom SecureToken service account password length, default is 16
SecureTokenManagementUsername
a String to define a custom username for the SecureToken service account, default is _nomadlogin
PasswordOverwriteSilent
workflow - Reqest from @Ehlers299DemobilizeSaveAltSecurityIdentities
a Boolean to determine if the AltSecurityIdentities
user record attribute should be preserved, useful when moving from mobile accounts with smart card mapping implemented.DemobilizeForcePasswordCheck
a Boolean to determine if a password input at the NoMAD login window will be required to demobilize, default is false
RecursiveGroupLookup
a Boolean to determine if group membership lookups should be done recursively, default is false
MigrateUsersHide
an array of Strings of the names of users that should be hidden from user migration canidates during selectionGuestUser
a Boolean to determine if guest users should be allowed to login, default is false
GuestUserAccounts
an array of Strings of names that can be entered into the username field to trigger a guest user creation, default is ["Guest", "guest"]
GuestUserAccountPasswordPath
a String to define the path to write out the guest users randomly generated password, defaults is to not write it outGuestUserFirst
a String to define the first name of the guest user accountGuestUserLast
a String to define the last name of the guest user accountAllowNetworkSelection
a Boolean to define if the network selection is hidden, default is false
AdditionalADDomains
so that the comparision is more sane.AdditionalADDomainList
an array of Strings that will cause a pull down domain menu in the Sign In window. Users can select a domain from the menu and then only enter the shortname in the text field.NTtoADDomainMappings
a Dictionary of Strings, e.g. [ NOMAD: nomad.menu], would allow a user to sign in as "NOMAD\user" and that would be converted to "user@nomad.menu" before authenticating to AD.AliasNTName
Bool to define if the user's NT style name is added as an alias to the local account during account creation.AliasUPN
Bool to define if the users UPN is added as an alias to the local account during account creation.DefaultSystemInformation
a String to define the system information to be shown by default, options are Serial
, MAC
, ComputerName
, Hostname
, SystemVersion
, and IP
, default is nothingCustomNoMADLocation
a String to define the location of a custom NoMAD installation to support automatic ACL declaration when KeychainAdd
is utilized, default is /Applications/NoMAD.app
LocalFallback
used in conjunction with DenyLocal
and PasswordOverwriteSilent
would cause unintentional password overwrites.UIDTool
a String to determine the path of an executable that is run when a new user is created. It is expected to return the UID that the user should be created with. It passes in the new users username as the first argument, default is to use the built in functionalitycom.apple.loginwindow
domain with new support of the LoginwindowText
keyUseCNForFullNameFallback
a Boolean that determines if to use CN as the fullname on the account when the givenName and sn fields are blankPowerControlDisabled
a Boolean that determines if the powercontrol options should be disabled/hidden in the SignIn UIDisableFDEAutoLogin
now respected under the com.apple.loginwindow
preference domainBackgroundImageAlpha
an Integer from 0-10 which determines the alpha value for the background image in 10% increments, i.e. a value of 3
would be a 30% alpha
This was broken before and is now fixed.DenyLocal
Boolean determines if local user accounts are allowed to sign in, or if all auth is forced through AD.DenyLocalExcluded
Array or strings of user shortnames that will be allowed to authenticate locally instead of via AD.DenyLoginUnlessGroupMember
Array of strings of AD group names. When an AD user is authenticating, only allow login if the user is a member of one of these groups.EnableFDERecoveryKeyPath
String of a folder path where the recovery key will be stored. NoLo will create this folder if it does not already exist.EnableFDERekey
Boolean that determines if the FileVault personal recovery key should be rotated when a valid FileVault user signs in.LDAPServers
Array of strings of LDAP servers that you would like to use for AD authentication instead of using SRV record lookup.LoginLogoAlpha
an Integer from 0-10 which determines the alpha value for the logo image in 10% increments, i.e. a value of 3
would be a 30% alpha
This was broken before and is now fixed.LoginLogoData
is working again.NotifyLogStyle
Takes a string of jamf
, filewave
, munki
or none
and will add the appropriate log file to the the Notify mechanism.ScriptPath
Path to a script for the RunScript mechanism to run.ScriptArgs
Array of strings of arguments to give the script being run by the RunScript mechanism. <<User>>
will be replaced with the current user's shortname, <<First>>
with the current user's first name, <<Last>>
with the current user's last name, <<Principal>>
with the current user's Kerberos principal.UseCNForFullName
Use the the user's cn from AD instead of attempting to create the user name from the first and last name attributes of the user's AD record.UsernameFieldPlaceholder
text to place into the user field in the loginwindow to give a hint as to what to enter.UserInputOutputPath
string determining the path where the userinfo.plist
will be written.UserInputUI
a rather complicated dictionary that contains the settings for up to 4 text fields and 4 pop up buttons that will be shown during the UserInput mechanism. Look in the ConfigSamples folder in the source for an example of this configuration profile.UserInputLogo
path to a logo file to use for the UserInput mechanism.UserInputTitle
string for the UserInput mechanism title.UserInputMainText
string for the UserInput text.NoMADLoginAD:RunScript
will run a script of your choosing as set by the preferences. This is typically marked as privileged
to allow the script to run as root.NoMADLoginAD:Notify
runs the Notify screen. See the DEPNotify project for more information.NoMADLoginAD:UserInput
displays up to 4 text fields and 4 pull down menus to allow the user to enter information during the login process.LastUser
value to the NoMAD preferences. This allows NoMAD to login on first launch. (#89)Please file any issues, or requested features, in the project issue tracker.
Getting started with NoLoAD is easy, but currently it takes a few steps. It's also easy to revert to the Apple login window in case you run in to any issues.
Installing is easy!
authchanger
tool and be done with it. The only reason not to do this is if you have made other changes to the system.login.console
rights.ADDomain
in the menu.nomad.login.ad
preference domain.Now you should be able to logout and find yourself staring at the majesty of NoMAD Login!
Take a look in our Wiki to see how to get started with Carthage and Xcode.
Using NoMAD Login AD is easy. Just enter your AD username and password in username@domain
format and your password. If the domain is visible on the network, NoMAD Login AD will discover the domain details and then authenticate your account. Once that is done it will create a local account that matches the AD one and complete the login. You can then use NoMAD as you normally would from the menu bar to keep the accounts synchronized.
Since the created account is a local one, you won't suffer any network delays when logging in or unlocking your Mac. From the login window, NoLoAD will simply defer to the regular local login process for any local accounts. At this point you could even just go back to the Apple Loginwindow, but where is the fun in that?
Enticing you to stay now is the ability to customize the login experience with your own logos and background images. More info, and a gallery of options, can be found in the wiki.
When you decide that you've had enough it's easy to go back to the standard login window.
The easy way is to simply run /usr/local/bin authchanger -reset
, followed by killall -HUP loginwindow
to reload the login window.
Thanks to all of you for trying NoMAD Login AD! Please let us know about issues and features in the issue tracker. You can also find us on Slack in nomad and nomad-login.