My previous posts about NoMAD Login + Jamf Pro deployment workflows assumed that once a local account is provisioned NoMAD Login will be uninstalled. From then on out users would use the stock macOS login window they’re used to.

There are plenty of other use cases though where NoMAD Login is used as a persistent login window replacement. In those cases it may be useful to report on authorization mechanisms to ensure they’re set correctly. Otherwise NoMAD Login or Jamf Connect may not run with the desired mechanisms or at all.

It may also be useful to know if authorization mechanisms were set back to defaults after using NoMAD Login or Jamf Connect in your deployment workflow. If not then a quick authchanger -reset can get the system back to a healthy state. It’s also been observed by a few people that authorization mechanisms can be reset back to defaults after a major OS upgrade - High Sierra to Mojave for example.

To help in those situations (and probably others) I’ve written two Jamf Pro extension attributes.

nomadlogin_mechs.py - Return a list of NoMAD Login and Jamf Connect authorization mechanisms used during macOS login window authentication process.

login_mechs_authdb.py - Return a list of all authorization mechanisms.

For example, default macOS mechanisms are returned like below. When included as an extension attribute string a smart group can be created with matching (is, is not, regex, etc.) criteria to target Macs as needed.

<result>builtin:policy-banner
loginwindow:login
builtin:login-begin
builtin:reset-password,privileged
builtin:forward-login,privileged
builtin:auto-login,privileged
builtin:authenticate,privileged
PKINITMechanism:auth,privileged
builtin:login-success
loginwindow:success
loginwindow:FDESupport,privileged
HomeDirMechanism:login,privileged
HomeDirMechanism:status
MCXMechanism:login
CryptoTokenKit:login
loginwindow:done</result>

https://github.com/nstrauss/jamf-extension-attributes