Skip to content
This repository has been archived by the owner on Jan 2, 2024. It is now read-only.

notify

Jump to bottom
Josh Wisenbaker edited this page Jan 12, 2022 · 1 revision

Using NoMAD Login AD Notify

Starting with the MacSysAdmin2018 branch we are including a Notify mechanism within the NoMAD Login AD project. Notify, or NoLoNotify is very similar to DEPNotify and takes the exact same commands.

Configuring NoLoNotify

First you need to add the Notify mechanism to the list of authentication mechanisms that will be run when a user logs in. You can do this with the authchanger binary included with NoLo. If you use the help flag authchanger -help you'll get a sample usage of how to enable this.

authchanger -reset -AD -preLogin NoMADLoginAD:Notify for example will set up NoLo for doing AD authentication but run the Notify window before the CheckAD window is shown. This means that the user will see the Notify UI before being able to actually sign in to the machine.

Keep in mind that the Notify UI is entirely controlled from the command file in /var/tmp/depnotify.log. If you don't write a quit statement to that file, you will never get past the Notify screen at the loginwindow. For more information on how to use the depnotify.log file, please see the DEPNotify project page.

Changing the UI

In most cases you'll want to have NoLo also kick off the script that will control NoLoNotify. In that case you can use the included RunScript mechanism to also launch a script in the background as root. This will allow you to do the needful and control the Notify UI at the same time. The script path is determined by the ScriptPath key for the menu.nomad.login.ad preference domain. You can supply an array of arguments with the ScriptArgs key.

While a configuration profile is the best way to do this long term, you can use the following defaults commands to set this locally for testing.

sudo defaults write /Library/Preferences/menu.nomad.login.ad.plist ScriptPath /usr/local/bin/notify.sh

sudo defaults write /Library/Preferences/menu.nomad.login.ad.plist ScriptArgs -array "-value" "-something"

You could then add both RunScript and Notify to the list of mechanisms

authchanger -reset -AD -preAuth "NoMADLoginAD:RunScript,privileged, NoMADLoginAD:Notify"

Other Notes

Notify and RunScript can be run independent of the other parts of NoLo. That is to say that if you want to continue using the standard macOS loginwindow, you're more than welcome to do that. You can add these mechanisms into the flow at any point in the standard loginwindow process that you'd like.

If you're using Jamf, Munki or Filewave, you can have Notify automatically list entries from your MDM logs, in the same fashion that DEPNotify can as well. Just add the NotifyLogStyle key to the NoLo preferences with either jamf, munki or filewave as a value.

These mechanisms can be run more than once. It's entirely feasible to have a Notify screen run both before the login UI is shown and after. The same goes for the RunScript mechanism. Just make sure you have logic in your scripts or deployment process to do the right things at the right time.

If you're stuck at the Notify screen while logging in, you can escape the Notify mechanism by holding down command-control-x

Clone this wiki locally