... | ... | @@ -21,12 +21,21 @@ This key may be set in either the NoMAD or NoLoAD defaults domain. When set NoLo |
|
|
**AdditionalADDomains**
|
|
|
Allows appending of other domains at the loginwindow and is set as either a `bool` or an `Array` of `String` types. If set as a `Bool` to `YES` then any typed domain will be allowed. If set as an `Array` of ADDomain names, those domains will be allowed for use. If not set, the standard **ADDomain** policy will apply.
|
|
|
|
|
|
**DenyLocal**
|
|
|
Determines if any local accounts can sign in, or if all accounts have to authenticate to AD first.
|
|
|
|
|
|
**DenyLocalExcluded**
|
|
|
An array of account names that can sign in locally without having to authenticate to AD first. Only valid if `DenyLocal` has been set to true.
|
|
|
|
|
|
**DenyLoginUnlessGroupMember**
|
|
|
An array of strings that contain AD group names. Once a user has authenticated to AD, the user record is queried to ensure that the user is a member of at least one of these groups. If not the user is not allowed to login.
|
|
|
|
|
|
## Apperance Settings
|
|
|
**BackgroundImage**
|
|
|
A path to the background image to use as a `String`. If set, this key will attempt to load the given image as a desktop image on the login screen. Any format supported by macOS may be used. You do not need to escape the path to the image.
|
|
|
|
|
|
**BackgroundImageAlpha**
|
|
|
The alpha value of the vibrancy layer blur above the background image as an `Int`. Default value is 80. A lower value will increase the apparent sharpness of the background image.
|
|
|
The alpha value of the vibrancy layer blur above the background image as an `Int` from 0-10 which represent the alpha value in 10% increments, i.e. a value of 8 would be an 80% alpha. A lower value will increase the apparent sharpness of the background image.
|
|
|
|
|
|
**LoginLogo**
|
|
|
A path to the login logo image to use as a `String`. The LoginLogo key allows you to change the logo presented above the username and password fields on the login screen. Any image format supported by macOS may be used, but for the best aesthetics you should make sure that the logo has a transparent background. As with the BackgroundImage key, you do not need to escape the path to the file. This key has a magic property you can use to present no logo. To present login without a logo, set the value to `NONE`.
|
... | ... | @@ -75,9 +84,18 @@ On systems using the APFS filesystem, this key will enable FileVault encryption |
|
|
**EnableFDERecoveryKey**
|
|
|
This key write out the output of the `fdesetup` command run by the `EnableFDE` key and write it to `/var/db/.NoMADFDESetup`. This is useful if you are not escrowing the recovery key in an MDM service or otherwise need the PRK.
|
|
|
|
|
|
**EnableFDERecoveryKeyPath**
|
|
|
String of a folder path where the recovery key will be stored. NoLo will create this folder if it does not already exist.
|
|
|
|
|
|
**EnableFDERekey**
|
|
|
Boolean that determines if the FileVault personal recovery key should be rotated when a valid FileVault user signs in.
|
|
|
|
|
|
**LDAPOverSSL**
|
|
|
This key may be set in either the NoMAD or NoLoAD defaults domain. If set to `YES` then NoLoAD will require trusted SSL for communications between the Mac and AD. If your configuration uses self-signed certificates then you will need to install and trust the issuing CA on the Mac before you can login. This is most easily done with a Certificate Payload via MDM. If your certificate chain is publicly trusted, no action is needed.
|
|
|
|
|
|
**LDAPServers**
|
|
|
Array of strings of LDAP servers that you would like to use for AD authentication instead of using SRV record lookup.
|
|
|
|
|
|
## User Creation Settings
|
|
|
**CreateAdminUser**
|
|
|
This key is sent in the NoLoAD defaults domain. If set to `YES` then any local user created at login will be placed into the local `admin` group and therefore be a local administrator on the Mac. If set to `NO`, or if the key is omitted, then local user creation will default to non-administrative accounts.
|
... | ... | @@ -97,12 +115,17 @@ This key is set in the NoLoAD defaults domain. If set to `YES` then NoLoAD will |
|
|
| ADDomain | String | `nomad.test` | none | `com.trusourcelabs.NoMAD` `menu.nomad.login.ad` | 1.0
|
|
|
| AdditionalADDomains | Bool or Array of Strings | `YES` `<"foo.bar", "bar.foo">` | none | `menu.nomad.login.ad` | 1.2.0
|
|
|
| BackgroundImage | String| `/path/to/imageFile` | none | `menu.nomad.login.ad` | 1.1.0
|
|
|
| BackgroundImageAlpha | Int | `75` | `80` | `menu.nomad.login.ad` | 1.2.0
|
|
|
| BackgroundImageAlpha | Int | `7` | `10` | `menu.nomad.login.ad` | 1.2.0
|
|
|
| CreateAdminUser | Bool | `YES` | `NO`| `menu.nomad.login.ad` | 1.0
|
|
|
| CreateAdminIfGroupMember | Array of Strings | `<"Domain Admins", "HelpDesk">` | none| `menu.nomad.login.ad` | 1.2.0
|
|
|
| DemobilizeUsers | Bool | `NO` | `NO`| `menu.nomad.login.ad` | 1.0
|
|
|
| DenyLocal | Bool | `NO` | `NO`| `menu.nomad.login.ad` | 1.3
|
|
|
| DenyLocalExcluded | Array of Strings | `<"sally", "Joel">` | none| `menu.nomad.login.ad` | 1.3.0
|
|
|
| DenyLoginUnlessGroupMember | Array of Strings | `<"IT", "Cool People">` | none| `menu.nomad.login.ad` | 1.3.0
|
|
|
| EnableFDE | Bool | `YES` | `NO` | `menu.nomad.login.ad` | 1.0
|
|
|
| EnableFDERecoveryKey | Bool | `YES` | `NO` | `menu.nomad.login.ad` | 1.0
|
|
|
| EnableFDERecoveryKeyPath | String | `/var/tmp/prk` | none | `menu.nomad.login.ad` | 1.3.0
|
|
|
| EnableFDERekey | Bool | `YES` | `NO` | `menu.nomad.login.ad` | 1.3.0
|
|
|
| EULAPath | String | `/path/to/saveOn` | `/var/db/NoMADLogin/` | `menu.nomad.login.ad` | 1.2.0
|
|
|
| EULASubTitle | String | `Agree or Else!` | none | `menu.nomad.login.ad` | 1.2.0
|
|
|
| EULAText | String | `Lots of text nobody reads` | none | `menu.nomad.login.ad` | 1.2.0
|
... | ... | @@ -111,6 +134,7 @@ This key is set in the NoLoAD defaults domain. If set to `YES` then NoLoAD will |
|
|
| KeychainCreate | Bool | `YES` | `NO` | `menu.nomad.login.ad` | 1.2.0
|
|
|
| KeychainReset | Bool | `NO` | `NO` | `menu.nomad.login.ad` | 1.2.0
|
|
|
| LDAPOverSSL | Bool | `YES` | `NO` | `com.trusourcelabs.NoMAD` `menu.nomad.login.ad` | 1.0
|
|
|
| LDAPServers | Array of Strings | `<"dc1.nomad.menu", "dc2.nomad.menu">` | none | `menu.nomad.login.ad` | 1.3.0
|
|
|
| LoginLogo | String | `/path/to/imageFile` | none | `menu.nomad.login.ad` | 1.1.0
|
|
|
| LoginLogoData | Data | `<Base64 Data>` | none | `menu.nomad.login.ad` | 1.2.0
|
|
|
| LoginScreen | Bool | `NO` | `NO` | `menu.nomad.login.ad` | 1.1.0
|
... | ... | |