Nomad config

1. #!/bin/bash
2. #
3. # NoMAD Plus / Jamf Connect Login Okta preferences file creation.
4.  
5. # Writes a NoMAD+ Login preferences file.
6. # Argument 4 Address of your Okta server. Example is dev-1234.oktapreview.com
7. # Argument 5 Fully qualified path to background image for CheckOkta window
8. # Argument 6 Fully qualified path to login logo image
9. # Argument 7 Fully qualified path to put the filevault recovery key
10.  
11. # Usage: Use as a script in Jamf Pro to set the preferences file after you've
12. # installed the Jamf Connect Login package
13.  
14. # Rev: 1.0 — SRABBITT September 27, 2018 9:43 AM
15.  
16. sudo profiles -s -F /tmp/JamfLicense.mobileconfig -f -v
17. wait
18. #Install jamf connect
19. sudo installer -pkg "/tmp/JamfConnectLogin-1.0.1.pkg" -target /
20. #wait until jamf installed then configure the files
21. wait
22.  
23. TheURLOfYourOktaServer=changeme.okta.com
24. pathToBackgroundImage=/test-background.png
25. pathToLogo=/image-2.png
26. fileVaultRecoveryKeyPath=$7
27.  
28. # AuthServer - Set the Okta domain you want to authenticate against
29. defaults write /Library/Preferences/menu.nomad.login.okta.plist AuthServer -string "$TheURLOfYourOktaServer"
30.  
31. # BackgroundImage - Path to an image to use for the background of the CheckOkta mechanism.
32. defaults write /Library/Preferences/menu.nomad.login.okta.plist BackgroundImage -string "$pathToBackgroundImage"
33.  
34. # DenyLocal - Determines if al users must authenticate to Okta. When using this setting, no local
35. # authentication is done.
36. defaults write /Library/Preferences/menu.nomad.login.okta.plist DenyLocal -bool TRUE
37.  
38. # DenyLocalExcluded - List of local users that are excluded from the DenyLocal flag.
39. # Useful things would be an admin account set up for IT.
40. defaults write /Library/Preferences/menu.nomad.login.okta.plist DenyLocalExcluded -array { “admin”, “ladmin”, “Joe” }
41.  
42. # HelpURL - URL to show at the loginwindow to allow for onboarding or Okta enrollment
43. defaults write /Library/Preferences/menu.nomad.login.okta.plist HelpURL -string "https://distology.okta.com"
44.  
45. # LocalFallback - Used with DenyLocal to force authentication to Okta first,
46. # but then fallback to local auth if Okta is unavailable.
47. defaults write /Library/Preferences/menu.nomad.login.okta.plist LocalFallback -bool TRUE
48.  
49. # LoginLogo - Path to an image to use for the logo at login
50. defaults write /Library/Preferences/menu.nomad.login.okta.plist LoginLogo -string "$pathToLogo"
51.  
52. # Migrate - Allow local accounts to be migrated to Okta-based accounts
53. # defaults write /Library/Preferences/menu.nomad.login.okta.plist Migrate -bool FALSE
54.  
55. # MigrateUsersHide - List of local accounts to exclude from the migration pull-down menu.
56. # defaults write /Library/Preferences/menu.nomad.login.okta.plist MigrateUsersHide -array { “admin”, “ladmin” }
57.  
58. ### OIDC Defaults Group:
59. #
60. # If you go to Okta Applications, you can make a special app for each group
61. # who should get access to that type of account.
62. # Go to Okta -> Admin -> Classic UI -> Applications and the
63. # ClientID string is what you put in here.
64.  
65.  
66. # OIDCAccessClientID - OIDC application to use for access to the Mac.
67. defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAccessClientID -string "0oaa77n8lzel6FQne1t7"
68.  
69. # OIDCAdminClientID - OIDC application to use to determine who is an admin when a local account is created.
70. defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAdminClientID -string "0oaa76mj7yyiXG00X1t7"
71.  
72. # OIDCAuthServer - the Authentication server to use for OIDC operations. This is optional.
73. # defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCAuthServer -string "ILKOasdf3829fga"
74.  
75. # OIDCRedirectURI - The URI to use for SAML redirects.
76. # Optional - If you made your Okta application for access with a different URI, you can set that here.
77. defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCRedirectURI -string "nomadoauth://oauth-callback/okta"
78.  
79. # OIDCSecondaryLoginClientID OIDC application to use to determine who can create local accounts after an initial user has been created.
80. # defaults write /Library/Preferences/menu.nomad.login.okta.plist OIDCSecondaryLoginClientID -string "abunchanumbersandcharacters"
81.  
82. # CreateAdminUser - Makes the new users on the machine an Admin
83. # defaults write /Library/Preferences/menu.nomad.login.okta.plist CreateAdminUser -bool TRUE
84.  
85. # EnableFDE - Determines if this mechanism will enable FileVault if all requirements are met.
86. #defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDE -bool FALSE
87.  
88. # EnableFDERecoveryKey - Will write out the resulting personal recovery key to /var/db/ NoMADFDESetup.plist
89. #defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDERecoveryKey -bool FALSE
90.  
91. # EnableFDERecoveryKeyPath - Will write out the resulting personal recovery key to /var/db/ NoMADFDESetup.plist
92. # defaults write /Library/Preferences/menu.nomad.login.okta.plist EnableFDERecoveryKeyPath -string "$fileVaultRecoveryKeyPath"
93.  
94. # LAPSUser - The local account to be used for LAPS
95. # defaults write /Library/Preferences/menu.nomad.login.okta.plist LAPSUser -string "localadmin"
96.  
97. # DemobilizeUsers - Determines if mobile accounts should be demobilized
98. # defaults write /Library/Preferences/menu.nomad.login.okta.plist DemobilizeUsers -bool FALSE
99.  
100. /usr/local/bin/authchanger -reset # This Resets the database back to factory fresh just in case
101. /usr/local/bin/authchanger -Okta # Sets up NoMAD Login+Okta
102.  
103. # Kill the login window and use the Okta login instead
104. killall -HUP loginwindow