Deploying NoMAD with Configuration Profiles

It feels a little silly to be so excited about something so simple as NoMAD, but there’s nothing simple about NoMAD behind the scenes. It’s doing a lot of heavy lifting that you’d usually need binding to accomplish. Preventing the complication of binding simplifies your Mac environment. On the Macadmins.org Podcast recently, we spent an hour talking with Joel Rennich about just that.

We’ve now deployed NoMAD for a single site, using Munki to deploy the application bundle, but when it comes to deploying the preferences, I’ve decided to take some notes from the tea leaves being read and move my deployment strategy to take advantage of Mobile Configuration Profiles. Rusty Myers has a good meta-repository of Profiles if you’re not familiar with all the options available.

From our testing rig, where we finalized the settings for deployment, we built a good configuration. You can use the system defaults command to play out what NoMAD is setup to do. defaults read com.trusourcelabs.NoMAD will give you the entire contents of the prefs domain, but you don’t need everything from that file. This is what we took forward from that file:

nomad-mcx

Now, if you want the full payload of preferences, there is a published guide to all of the settings options.

defaults read displays the contents of the preferences file in the old MCX format, which is exactly what we need to generate a profile for upload to MDMs, or deployment directly via Munki. Tim Sutton has written an MCX-to-Profile python script that can take the contents of that file and turn it into a mobileconfig profile. Name the MCX file com.trusourcelabs.NoMAD so that the correct permissions domain is applied – or just change the name once the profile is built.

nomad-config

To get the profile out, we made it an update for the NoMAD installer itself, set as an unattended installation. When NoMAD is installed by Munki, it gets the profile as an upgrade in the background, installed and ready for first run. In this case, we’re using NoMAD even while bound, just to simplify the installation of an X509 identity for use with 802.1X and Cisco ISE for Wi-Fi purposes. There are a lot of good reasons to use NoMAD to simplify your world.

Leave a Reply

Your email address will not be published. Required fields are marked *