How to Uninstall NoMAD

Here is a simple script to uninstall NoMAD:

# /bin/bash
# Rui Qiu
# Remove NoMad and use direct AD Bind

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`

pkill “NoMAD”
sudo rm -rf /Applications/NoMAD.app
sudo rm -rf “/Library/Managed Preferences/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Library/Managed Preferences/$loggedInUser/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Users/$loggedInUser/Library/LaunchAgents/com.trusourcelabs.NoMAD.plist”

 

And you can use this to search files:

mdfind -name “NoMAD”


Force Install macOS Update

Here is a simple command to force install macOS updates in the background:

softwareupdate -i -a

After running that, you can use casper to notify user to reboot 🙂

 

and here is a useful link to enable update on the Mac:


Extract a JSON value from a BASH script

find the simple bash script for extracting JSON value from this GitHub:

https://gist.github.com/cjus/1047794

function jsonValue() {
KEY=$1
num=$2
awk -F”[,:}]” ‘{for(i=1;i<=NF;i++){if($i~/’$KEY’\042/){print $(i+1)}}}’ | tr -d ‘”‘ | sed -n ${num}p
}


Shell Script to Remove Centrify, Move Wifi/LAN, and Request 802.1 Certificate

Here is a long script of doing a lot of things,  it deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC

 

#!/bin/sh

# This script deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC
# Rui Qiu
# Nov 17, 2017
# Last update: Dec 12, 2017

# exit code 0 – success
# 1 – no wifi
# 2 – no connection do DC
# 3 – migration failed, no connection to DC

CurrentUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`
ConnectedWIFI=$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk ‘/ SSID/ {print substr($0, index($0, $2))}’)
Ori_Network_Choice=$(networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘)
DCserver=$(ping -c1 -n $(adinfo –server) | head -n1 | sed “s/.*(\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)).*/\1/g”)
ADUser_Check=$(adquery user $CurrentUser | grep -c “113584762”)
FilePath=”XXX”

echo
echo ————————————Project Zero————————————
echo Current user is: $CurrentUser
echo AD User Check result is: $ADUser_Check
echo Current Wifi is: $ConnectedWIFI
echo DC server IP is: $DCserver

# Remove any previous installation files
if [ -d “$FilePath” ]; then rm -Rf “$FilePath”; fi

# Check if a user is on our WIFI network
if [ “$ConnectedWIFI” = “XXX” ] && [ “$ADUser_Check” = “1” ];
then

# Shut down Ethernet
#ethernet=$(networksetup -listnetworkserviceorder |grep ‘Hardware Port.*100\|Hardware Port.*LAN’ |grep -o ‘….$’ |cut -c 1-3)
echo
echo “~~~ Step 1 of 9 ~~~ You are on the correct WIFI, now move it as the first connection choice”
echo “Original Network Sequence Order”
echo $Ori_Network_Choice
echo networksetup -ordernetworkservices “Wi-Fi” `networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | grep -v Wi-Fi | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘` | bash
echo
echo “New Network Sequence Order”
networksetup -listallnetworkservices
sleep 5

# Check if can contact our Domain Controller
echo
echo “~~~ Step 2 of 9 ~~~ Ping our DC”
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Not on Zalando_Air”
mv “$FilePath”/project_zero.txt “$FilePath”/X_wifiwrong.txt
exit 1 # exit code needed
fi

# Uninstall Centrify
echo
echo “~~~ Step 3 of 9 ~~~ Uninstall Centrify”
/usr/local/share/centrifydc/bin/uninstall.sh -n -e

# Delete Old Centrify Certificates
echo
echo “~~~ Step 4 of 9 ~~~ Removing old Certificates”
a=$(hostname -s)
b=”.your.ad”
security find-certificate -c $a$b -a -Z | \
awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Bind to AD
echo
echo “~~~ Step 5 of 9 ~~~ Bind to AD”
jamf policy -event bind -verbose

# Migrate user account to AD
#echo
echo “~~~ Step 6 of 9 ~~~ Migrating account”
echo ” Skipping this part, no need ”
#dscl . delete /Users/$CurrentUser
# chown -R $CurrentUser:Your_AD_ID /Users/$CurrentUser/
# chown -R $CurrentUser /Users/$CurrentUser/

# Install Configuration Profile
echo
echo “~~~ Step 7 of 9 ~~~ Installing profile”
/usr/bin/profiles -I -F /X/X.mobileconfig

# Revert Back to Original Network Sequence Order
echo
echo “~~~ Step 8 of 9 ~~~ Revert Back to Original Network Sequence Order, and Check Internet Access”
echo networksetup -ordernetworkservices $Ori_Network_Choice | bash
echo “Now the network sequence order is ”
networksetup -listallnetworkservices

echo “Check for Internal Access”
sleep 5
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Migration Failed, Cannot connect to DC”
mv “$FilePath”/X.txt “$FilePath”/X_failed.txt
exit 3 # exit code needed
fi

# Remove temp file
echo
echo “~~~ Step 9 of 9 ~~~ Finished, record the result and removing temp file”
mv “$FilePath”/X.txt “$FilePath”/X_finished.txt
rm “$FilePath”/X.mobileconfig
else
# If not on our WIFI network, exit
echo “Not on the right Wifi or is not an AD user, exit”
exit 0

fi


Casper Configuration Profiles Auto Renewal

If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

I have setup an extension attribute to check the Macs need this remediation:

#! /bin/bash
status=$(sudo defaults read /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled)
echo “<result>$status</result>”

 

Any Macs without the result 1 will get remediated 🙂

Here is the link from Apple, it works for Sierra and up.

 

By default, the auto renewal time is 14 days before expiring.

Links to read:

https://support.apple.com/en-us/HT204836

https://support.apple.com/en-us/HT204446

 

To find expired certificates:

expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}’)

 

To delete a certificate:

security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’


How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername

 

2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “com.apple.eapol”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains

 

You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate

 

 

 

4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log

 

If everything is fixed, you should able to see these from your network connection:

 


802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂


How to Check Macs with Office 2011 & Office 2016 Installed in Casper

Here are the Casper Smart Groups to see how many office 2011 and office 2016 users:

 

 

 


SCCM SQL Report for All Office Users

Here is the sccm sql report statement to finding out all office users, I have used “Microsoft Office Professional” as the keyword, you can change to any software title you want 🙂

 

SELECT DISTINCT
TOP (100) PERCENT RV.AD_Site_Name0 AS [AD Site], RV.Netbios_Name0 AS [PC Name], RV.Creation_Date0 AS [PC Joined Date], RV.User_Name0 AS [User Name],
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0, dbo.v_R_User.description0 AS [Employee Location], dbo.v_R_User.Mail0 AS Email,
dbo.v_R_User.title0 AS Title, dbo.v_R_User.department0 AS Department, dbo.v_R_User.manager0 AS Manger
FROM dbo.v_R_System_Valid AS RV INNER JOIN
dbo.v_R_User ON RV.User_Name0 = dbo.v_R_User.User_Name0 INNER JOIN
dbo.v_GS_INSTALLED_SOFTWARE ON RV.ResourceID = dbo.v_GS_INSTALLED_SOFTWARE.ResourceID
GROUP BY RV.Netbios_Name0, RV.AD_Site_Name0, RV.Creation_Date0, RV.User_Name0, dbo.v_R_User.department0, dbo.v_R_User.description0, dbo.v_R_User.Mail0, dbo.v_R_User.manager0, dbo.v_R_User.title0,
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0
HAVING (dbo.v_GS_INSTALLED_SOFTWARE.ProductName0 LIKE N’%Microsoft Office Professional%’)
ORDER BY [User Name]


SCCM Package for Tableau & Tableau Reader

Installation command line:

TableauReader-64bit-10-3-1.exe /quiet /norestart AUTOUPDATE=0 ACCEPTEULA=1

 

Detection method:

File exist and version equal:

C:\Program Files\Tableau\Tableau Reader 10.3\bin