Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # NoMAD Plus / Jamf Connect Login Okta preferences file creation.
- # Writes a NoMAD+ Login preferences file.
- # Argument 4 Address of your Okta server. Example is dev-1234.oktapreview.com
- # Argument 5 Fully qualified path to background image for CheckOkta window
- # Argument 6 Fully qualified path to login logo image
- # Argument 7 Fully qualified path to put the filevault recovery key
- # Usage: Use as a script in Jamf Pro to set the preferences file after you've
- # installed the Jamf Connect Login package
- # Rev: 1.0 — SRABBITT September 27, 2018 9:43 AM
- sudo profiles -s -F /tmp/JamfLicense.mobileconfig -f -v
- wait
- #Install jamf connect
- sudo installer -pkg "/tmp/JamfConnectLogin-1.0.1.pkg" -target /
- #wait until jamf installed then configure the files
- wait
- TheURLOfYourOktaServer=changeme.okta.com
- pathToBackgroundImage=/test-background.png
- pathToLogo=/image-2.png
- fileVaultRecoveryKeyPath=$7
- # AuthServer - Set the Okta domain you want to authenticate against
- defaults write /Library/Preferences/menu.nomad.login.okta.plist AuthServer -string "$TheURLOfYourOktaServer"
- # BackgroundImage - Path to an image to use for the background of the CheckOkta mechanism.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist BackgroundImage -string "$pathToBackgroundImage"
- # DenyLocal - Determines if al users must authenticate to Okta. When using this setting, no local
- # authentication is done.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist DenyLocal -bool TRUE
- # DenyLocalExcluded - List of local users that are excluded from the DenyLocal flag.
- # Useful things would be an admin account set up for IT.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist DenyLocalExcluded -array { “admin”, “ladmin”, “Joe” }
- # HelpURL - URL to show at the loginwindow to allow for onboarding or Okta enrollment
- defaults write /Library/Preferences/menu.nomad.login.okta.plist HelpURL -string "https://distology.okta.com"
- # LocalFallback - Used with DenyLocal to force authentication to Okta first,
- # but then fallback to local auth if Okta is unavailable.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist LocalFallback -bool TRUE
- # LoginLogo - Path to an image to use for the logo at login
- defaults write /Library/Preferences/menu.nomad.login.okta.plist LoginLogo -string "$pathToLogo"
- # Migrate - Allow local accounts to be migrated to Okta-based accounts
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist Migrate -bool FALSE
- # MigrateUsersHide - List of local accounts to exclude from the migration pull-down menu.
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist MigrateUsersHide -array { “admin”, “ladmin” }
- ### OIDC Defaults Group:
- #
- # If you go to Okta Applications, you can make a special app for each group
- # who should get access to that type of account.
- # Go to Okta -> Admin -> Classic UI -> Applications and the
- # ClientID string is what you put in here.
- # OIDCAccessClientID - OIDC application to use for access to the Mac.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAccessClientID -string "0oaa77n8lzel6FQne1t7"
- # OIDCAdminClientID - OIDC application to use to determine who is an admin when a local account is created.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAdminClientID -string "0oaa76mj7yyiXG00X1t7"
- # OIDCAuthServer - the Authentication server to use for OIDC operations. This is optional.
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAuthServer -string "ILKOasdf3829fga"
- # OIDCRedirectURI - The URI to use for SAML redirects.
- # Optional - If you made your Okta application for access with a different URI, you can set that here.
- defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCRedirectURI -string "nomadoauth://oauth-callback/okta"
- # OIDCSecondaryLoginClientID OIDC application to use to determine who can create local accounts after an initial user has been created.
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCSecondaryLoginClientID -string "abunchanumbersandcharacters"
- # CreateAdminUser - Makes the new users on the machine an Admin
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist CreateAdminUser -bool TRUE
- # EnableFDE - Determines if this mechanism will enable FileVault if all requirements are met.
- #defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDE -bool FALSE
- # EnableFDERecoveryKey - Will write out the resulting personal recovery key to /var/db/ NoMADFDESetup.plist
- #defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDERecoveryKey -bool FALSE
- # EnableFDERecoveryKeyPath - Will write out the resulting personal recovery key to /var/db/ NoMADFDESetup.plist
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDERecoveryKeyPath -string "$fileVaultRecoveryKeyPath"
- # LAPSUser - The local account to be used for LAPS
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist LAPSUser -string "localadmin"
- # DemobilizeUsers - Determines if mobile accounts should be demobilized
- # defaults write /Library/Preferences/menu.nomad.login.okta.plist DemobilizeUsers -bool FALSE
- /usr/local/bin/authchanger -reset # This Resets the database back to factory fresh just in case
- /usr/local/bin/authchanger -Okta # Sets up NoMAD Login+Okta
- # Kill the login window and use the Okta login instead
- killall -HUP loginwindow
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement