NoMAD Login and Jamf Connect EAs for Jamf Pro
My previous posts about NoMAD Login + Jamf Pro deployment workflows assumed that once a local account is provisioned NoMAD Login will be uninstalled. From then on out users would use the stock macOS login window they’re used to.
There are plenty of other use cases though where NoMAD Login is used as a persistent login window replacement. In those cases it may be useful to report on authorization mechanisms to ensure they’re set correctly. Otherwise NoMAD Login or Jamf Connect may not run with the desired mechanisms or at all.
It may also be useful to know if authorization mechanisms were set back to defaults after using NoMAD Login or Jamf Connect in your deployment workflow. If not then a quick
authchanger -reset can get the system back to a healthy state. It’s also been observed by a few people that authorization mechanisms can be reset back to defaults after a major OS upgrade - High Sierra to Mojave for example.
To help in those situations (and probably others) I’ve written two Jamf Pro extension attributes.
nomadlogin_mechs.py - Return a list of NoMAD Login and Jamf Connect authorization mechanisms used during macOS login window authentication process.
login_mechs_authdb.py - Return a list of all authorization mechanisms.
For example, default macOS mechanisms are returned like below. When included as an extension attribute string a smart group can be created with matching (is, is not, regex, etc.) criteria to target Macs as needed.
<result>builtin:policy-banner loginwindow:login builtin:login-begin builtin:reset-password,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged builtin:login-success loginwindow:success loginwindow:FDESupport,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login CryptoTokenKit:login loginwindow:done</result>