How to Uninstall NoMAD

Here is a simple script to uninstall NoMAD:

# /bin/bash
# Rui Qiu
# Remove NoMad and use direct AD Bind

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`

pkill “NoMAD”
sudo rm -rf /Applications/
sudo rm -rf “/Library/Managed Preferences/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Library/Managed Preferences/$loggedInUser/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Users/$loggedInUser/Library/LaunchAgents/com.trusourcelabs.NoMAD.plist”


And you can use this to search files:

mdfind -name “NoMAD”

Force Install macOS Update

Here is a simple command to force install macOS updates in the background:

softwareupdate -i -a

After running that, you can use casper to notify user to reboot 🙂


and here is a useful link to enable update on the Mac:

Extract a JSON value from a BASH script

find the simple bash script for extracting JSON value from this GitHub:

function jsonValue() {
awk -F”[,:}]” ‘{for(i=1;i<=NF;i++){if($i~/’$KEY’\042/){print $(i+1)}}}’ | tr -d ‘”‘ | sed -n ${num}p

Shell Script to Remove Centrify, Move Wifi/LAN, and Request 802.1 Certificate

Here is a long script of doing a lot of things,  it deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC



# This script deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC
# Rui Qiu
# Nov 17, 2017
# Last update: Dec 12, 2017

# exit code 0 – success
# 1 – no wifi
# 2 – no connection do DC
# 3 – migration failed, no connection to DC

CurrentUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`
ConnectedWIFI=$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk ‘/ SSID/ {print substr($0, index($0, $2))}’)
Ori_Network_Choice=$(networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘)
DCserver=$(ping -c1 -n $(adinfo –server) | head -n1 | sed “s/.*(\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)).*/\1/g”)
ADUser_Check=$(adquery user $CurrentUser | grep -c “113584762”)

echo ————————————Project Zero————————————
echo Current user is: $CurrentUser
echo AD User Check result is: $ADUser_Check
echo Current Wifi is: $ConnectedWIFI
echo DC server IP is: $DCserver

# Remove any previous installation files
if [ -d “$FilePath” ]; then rm -Rf “$FilePath”; fi

# Check if a user is on our WIFI network
if [ “$ConnectedWIFI” = “XXX” ] && [ “$ADUser_Check” = “1” ];

# Shut down Ethernet
#ethernet=$(networksetup -listnetworkserviceorder |grep ‘Hardware Port.*100\|Hardware Port.*LAN’ |grep -o ‘….$’ |cut -c 1-3)
echo “~~~ Step 1 of 9 ~~~ You are on the correct WIFI, now move it as the first connection choice”
echo “Original Network Sequence Order”
echo $Ori_Network_Choice
echo networksetup -ordernetworkservices “Wi-Fi” `networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | grep -v Wi-Fi | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘` | bash
echo “New Network Sequence Order”
networksetup -listallnetworkservices
sleep 5

# Check if can contact our Domain Controller
echo “~~~ Step 2 of 9 ~~~ Ping our DC”
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Not on Zalando_Air”
mv “$FilePath”/project_zero.txt “$FilePath”/X_wifiwrong.txt
exit 1 # exit code needed

# Uninstall Centrify
echo “~~~ Step 3 of 9 ~~~ Uninstall Centrify”
/usr/local/share/centrifydc/bin/ -n -e

# Delete Old Centrify Certificates
echo “~~~ Step 4 of 9 ~~~ Removing old Certificates”
a=$(hostname -s)
security find-certificate -c $a$b -a -Z | \
awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Bind to AD
echo “~~~ Step 5 of 9 ~~~ Bind to AD”
jamf policy -event bind -verbose

# Migrate user account to AD
echo “~~~ Step 6 of 9 ~~~ Migrating account”
echo ” Skipping this part, no need ”
#dscl . delete /Users/$CurrentUser
# chown -R $CurrentUser:Your_AD_ID /Users/$CurrentUser/
# chown -R $CurrentUser /Users/$CurrentUser/

# Install Configuration Profile
echo “~~~ Step 7 of 9 ~~~ Installing profile”
/usr/bin/profiles -I -F /X/X.mobileconfig

# Revert Back to Original Network Sequence Order
echo “~~~ Step 8 of 9 ~~~ Revert Back to Original Network Sequence Order, and Check Internet Access”
echo networksetup -ordernetworkservices $Ori_Network_Choice | bash
echo “Now the network sequence order is ”
networksetup -listallnetworkservices

echo “Check for Internal Access”
sleep 5
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Migration Failed, Cannot connect to DC”
mv “$FilePath”/X.txt “$FilePath”/X_failed.txt
exit 3 # exit code needed

# Remove temp file
echo “~~~ Step 9 of 9 ~~~ Finished, record the result and removing temp file”
mv “$FilePath”/X.txt “$FilePath”/X_finished.txt
rm “$FilePath”/X.mobileconfig
# If not on our WIFI network, exit
echo “Not on the right Wifi or is not an AD user, exit”
exit 0


Casper Configuration Profiles Auto Renewal

If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:

sudo defaults write /Library/Preferences/ AutoRenewCertificatesEnabled -bool YES

I have setup an extension attribute to check the Macs need this remediation:

#! /bin/bash
status=$(sudo defaults read /Library/Preferences/ AutoRenewCertificatesEnabled)
echo “<result>$status</result>”


Any Macs without the result 1 will get remediated 🙂

Here is the link from Apple, it works for Sierra and up.


By default, the auto renewal time is 14 days before expiring.

Links to read:


To find expired certificates:

expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}’)


To delete a certificate:

security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername


2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/ LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains


You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate




4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/ debugOutput -2
sudo defaults write /Library/Preferences/ collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log


If everything is fixed, you should able to see these from your network connection:


802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:


Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:


a=$(hostname -s)

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s”your wifi name”


Ok, now you should be all set with 802.1 network authentication for your macs 🙂

How to Check Macs with Office 2011 & Office 2016 Installed in Casper

Here are the Casper Smart Groups to see how many office 2011 and office 2016 users:




SCCM SQL Report for All Office Users

Here is the sccm sql report statement to finding out all office users, I have used “Microsoft Office Professional” as the keyword, you can change to any software title you want 🙂


TOP (100) PERCENT RV.AD_Site_Name0 AS [AD Site], RV.Netbios_Name0 AS [PC Name], RV.Creation_Date0 AS [PC Joined Date], RV.User_Name0 AS [User Name],
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0, dbo.v_R_User.description0 AS [Employee Location], dbo.v_R_User.Mail0 AS Email,
dbo.v_R_User.title0 AS Title, dbo.v_R_User.department0 AS Department, dbo.v_R_User.manager0 AS Manger
FROM dbo.v_R_System_Valid AS RV INNER JOIN
dbo.v_R_User ON RV.User_Name0 = dbo.v_R_User.User_Name0 INNER JOIN
GROUP BY RV.Netbios_Name0, RV.AD_Site_Name0, RV.Creation_Date0, RV.User_Name0, dbo.v_R_User.department0, dbo.v_R_User.description0, dbo.v_R_User.Mail0, dbo.v_R_User.manager0, dbo.v_R_User.title0,
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0
HAVING (dbo.v_GS_INSTALLED_SOFTWARE.ProductName0 LIKE N’%Microsoft Office Professional%’)
ORDER BY [User Name]

SCCM Package for Tableau & Tableau Reader

Installation command line:

TableauReader-64bit-10-3-1.exe /quiet /norestart AUTOUPDATE=0 ACCEPTEULA=1


Detection method:

File exist and version equal:

C:\Program Files\Tableau\Tableau Reader 10.3\bin