As with any managed preferences, you should only contol the settings that you must. Boolean settings will default to NO so you only need to set them to YES to enable those options.
NoMAD Login AD will look for all of it's preference settings in the menu.nomad.login.ad Defaults Domain. It will additionally look for the ADDomain and LDAPOverSSL keys in the com.trusourcelabs.NoMAD domain that NoMAD uses. This allows you to deploy just one profile to cover the basics for things like your desired AD Domain.
The previously used domain of menu.nomad.NoMADLoginAD is deprecated.
Please move to the modern menu.nomad.login.ad domain for your managed policies.
Active Directory Domain Settings
This key may be set in either the NoMAD or NoLoAD defaults domain. When set NoLoAD will only attempt to login to the managed domain specified. When in use the placeholder text in the login window will change from username@domain to just username. Users can type in either their short name or the fully qualified name/domain combo and the results will be the same.
Allows appending of other domains at the loginwindow and is set as either a bool or an Array of String types. If set as a Bool to YES then any typed domain will be allowed. If set as an Array of ADDomain names, those domains will be allowed for use. If not set, the standard ADDomain policy will apply.
Determines if any local accounts can sign in, or if all accounts have to authenticate to AD first.
An array of account names that can sign in locally without having to authenticate to AD first. Only valid if DenyLocal has been set to true.
An array of strings that contain AD group names. Once a user has authenticated to AD, the user record is queried to ensure that the user is a member of at least one of these groups. If not the user is not allowed to login.
A path to the background image to use as a String. If set, this key will attempt to load the given image as a desktop image on the login screen. Any format supported by macOS may be used. You do not need to escape the path to the image.
The alpha value of the vibrancy layer blur above the background image as an Int from 0-10 which represent the alpha value in 10% increments, i.e. a value of 8 would be an 80% alpha. A lower value will increase the apparent sharpness of the background image.
A path to the login logo image to use as a String. The LoginLogo key allows you to change the logo presented above the username and password fields on the login screen. Any image format supported by macOS may be used, but for the best aesthetics you should make sure that the logo has a transparent background. As with the BackgroundImage key, you do not need to escape the path to the file. This key has a magic property you can use to present no logo. To present login without a logo, set the value to NONE.
LoginLogoData Base64 encoded string of an image to display on the login screen set as a Data object. Specifying an embedded logo image will override other LoginLogo settings.
This key controls the general appearance of the login process. If set to YES then a macOS-style loginscreen will be presented instead of the default loginwindow style.
A String to show as the placeholder in the Username textfield.
If no EULAText preference is set, the EULA window will not be displayed.
Path to save acceptance records to as a String. Default is /var/db/NoMADLogin/
Text for a subtitle in the EULA window as a String.
Body text to present in the EULA window as a String.
Text for the large title in the EULA window as a String.
Use both KeychainCreate and KeychainAddNoMAD to create a NoMAD keychain item on login.
Controls if NoMAD Login should add a NoMAD entry into the user's login keychain. Bool value.
Controls if NoMAD Login should create a Keychain if it doesn't exist. Bool value.
Controls if NoMAD Login should reset the Keychain if the login pass doesn't match. Bool value. This has the potential for user data loss. Use with caution.
On systems using the APFS filesystem, this key will enable FileVault encryption as the user is signing in for the first time. This is the equivalent of fdesetup enable. Setting up FileVault in this way will ensure that the disk is encrypted before the user ever logs in. Also, this method is fully compatible with any escrow polices where the recovery key is escrowed in your MDM service.
This key write out the output of the fdesetup command run by the EnableFDE key and write it to /var/db/.NoMADFDESetup. This is useful if you are not escrowing the recovery key in an MDM service or otherwise need the PRK.
String of a folder path where the recovery key will be stored. NoLo will create this folder if it does not already exist.
Boolean that determines if the FileVault personal recovery key should be rotated when a valid FileVault user signs in.
This key may be set in either the NoMAD or NoLoAD defaults domain. If set to YES then NoLoAD will require trusted SSL for communications between the Mac and AD. If your configuration uses self-signed certificates then you will need to install and trust the issuing CA on the Mac before you can login. This is most easily done with a Certificate Payload via MDM. If your certificate chain is publicly trusted, no action is needed.
Array of strings of LDAP servers that you would like to use for AD authentication instead of using SRV record lookup.
User Creation Settings
This key is sent in the NoLoAD defaults domain. If set to YES then any local user created at login will be placed into the local admin group and therefore be a local administrator on the Mac. If set to NO, or if the key is omitted, then local user creation will default to non-administrative accounts.
A list of groups that should have its members created as local administrators. Set as an Array of String types of the group names.
This key is set in the NoLoAD defaults domain. If set to YES then NoLoAD will convert a previously cached mobile account from AD into a regular local user account on login. This removes the AD domain from the authentication authority for the user and also deletes the .account file in the user's home that allows it to be used as an external account. If set to NO, or if the key is omitted, existing mobile accounts will not be modified.
UserProfileImage A filesystem path to an image to set the user profile image to as a String