Useful Articles

Image

Using Prey with SimpleMDM to Recover a Stolen Laptop

Monday morning, I got the call that no one wants to get: “The lock was jimmied. They got some of our computers.”

Immediately, we sprang into action. We’re big fans of SimpleMDM and Watchman Monitoring, and both of those tools came in handy. The first thing we did was check the logs from Watchman Monitoring’s client agent on the machine to see if it had checked in over the weekend.

One of the machines had checked in on Sunday! We set both to alert us if they checked in again, and logged into SimpleMDM to see if the device was checking in there, as well. We could see the one device, which gave us a couple different options: We could lock or wipe the machine and hope that it wouldn’t just end up in a landfill, or we could try to get the machine back by giving some data to the police.

I know from experience that just giving them an IP Address isn’t likely to get a good result, so we started to think what else we could we do to get the machine back? What if we could give them a location, and more information?

Screen Shot 2018 10 17 at 12 28 27 PM

Enter the Prey Project. The Prey tool works as a behind-the-scenes agent on your behalf. When it’s in regular mode, it’s not doing much. But, when you turn on Missing Mode, things get a lot more interesting. Your Mac will now check-in with nearby Wi-Fi networks, perform a full location scan and give the police something to work with. It will also take pictures with the FaceTime Camera on the Computer, and capture screenshots, giving you more material to work with:

Prey Screenshot with Wireless Networks NearbyPrey Screenshot with Map Detail

This post isn’t here to get you to buy Prey, but it’s to tell you how we got Prey installed when we didn’t have the machine in our full control.

By default, Prey requires an API key to register new machines, and their method is just “Hey! Install that at the Command Line by SSH’ing into the machine!” Which, okay, fine, that might work if you can get that far, but how’s about we do something a little bit different?

What we opted to do was to repackage the Prey installer, so that the package installer they built is stored in a common directory, (in our case, /Users/Shared) and then a postinstall script tied to the package handles the install with our API Key:

#!/bin/bash

API_KEY=0xdeadbeef /usr/sbin/installer -pkg /Users/Shared/prey-mac-1.8.1-x64.pkg -target /

To build this package, we used Packages from WhiteBox. I created a new project, gave it a name (Black Widow), Included our Prey installer package to a known directory, and then add a Post Install script to invoke it using our API Key.

Screen Shot 2018 10 17 at 3 09 08 PM

Packages Post Install Script Screen

This gave me a functioning package that installed Prey and keyed it to our instance, which was great! But, how do I get it onto the stolen machine?

Enter SimpleMDM. You can use SimpleMDM to install a package onto a device, but only if you have a properly signed distribution package. The Black Widow package I made in Packages was unsigned, so now I just had to properly sign it using the prodsign command:

 

Screen Shot 2018 10 17 at 3 10 12 PM

This gave us a properly signed package with a valid signature:

Screen Shot 2018 10 17 at 3 17 52 PM

After uploading the package to our SimpleMDM instance, we scoped it to the machine, and waited for its next check-in:

Screen Shot 2018 10 17 at 3 19 16 PM

From there, it was a waiting game until the person who had the laptop now was back in range of the internet. Sure enough, they came back online today:

Screen Shot 2018 10 17 at 3 20 58 PM

The machine’s location and positioning information, as well as some additional detail, gave the police something to use to be a little more active on the case. We’re now waiting to hear if they’ll be able to repatriate the laptop to its owner.

Image

Installing Ubuntu 17.10 on ESXi, from a Mac Client, to the ESXi Server

This is a guide as much for me, as much as it is for anyone else. I came to the conclusion I wanted a testbed for Reposado and Margarita, and as much as Clayton Burlison has the install of Reposado and Margarita on lock, I needed a refresher on how to create a new Ubuntu VM on my ESXi-capable Mac Mini.

First up, in VMware Fusion, connect to the server. File > Connect to Server… will give you access to the virtual machines stored on the server. You will then see a list of all the VMs currently on the server, active or not:

ESXi Host VM List

From here, you can click the + at top left to add a new VM:

ESXi Host New VM Screen

Since we are putting the VM directly on the server and not our local machine, select “Create a virtual machine on a remote server.”

ESXi Host Server Picker

Next up, you will be asked to select the server. Choose your local ESXi host.

ESXI Host Choose Host and Datastore

From here, you get to select which Datastore you want to store the new virtual machine on. If you had multiple volumes, you could select it here, whereas I just have my internal storage volume.

ESXi Host Choose HW Vers

VMware will then ask you to select a Hardware Version. There might be reasons to choose earlier versions, depending on what your local situation is like, but I’m up to date, so I’m choosing version 11.

ESXI Host Pick Network

Next, you get to choose which Network you’ll put it on. If you had multiples, you’d want to select the correct VLAN. I just have one, so I’m keeping it right where it is. You can also have VMs that have no network interface, and that’s an option here, too.

ESXI Host Pick OS

Since I’m running Ubuntu Server, 64-bit, for the final project, I’m selecting this version also for my sandbox VM.

ESXI Host Pick Firmware

If you wanted to opt to use UEFI or Secure Boot, here would be your opportunity! Ubuntu doesn’t need that, so I’m just clicking through.

ESXI Host Pick Disk Size

Last but not least, it’s time to pick your disk size. Since I’m using Reposado and Margarita, it’s a 200GB minimum to enter this party.

Now that we have our virtual machine, we need to get our copy of Ubuntu 17.10 Server. I grabbed mine from the Release Notes Page, which includes links to the Ubuntu download system. As long as you have an ISO, you should be fine to get started. Before you turn the VM on, you need to attach that ISO to the VM’s CD-ROM Drive. In the Virtual Machine’s Settings, you can select CD-ROM, and then specify the locally-stored ISO file to use as a connected volume.
VMware Settings CD ROM

Once you have selected the Ubuntu ISO file to attach as a CD, you are free to boot your virtual machine, and you’ll be presented with the next few screens as part of the process.

Ubuntu 1 Language Select

Select your preferred language for the Installer to use.

Ubuntu 2 Install Starter

Select the option to Install Ubuntu Server

Ubuntu 3 Language Select

Select your preferred language for the __operating system__ to use

Ubuntu 4 Region Select

Select the preferred region for the __operating system__ to use.

Ubuntu 5 Keyboard Config

Pick the keyboard you’re using

Ubuntu 6 User Creation

Ubuntu 7 Set Password

Set up your admin username and password. Don’t forget these. Store them in a 1Password item if you can.

Ubuntu 9 Set Timezone

Set your timezone

Ubuntu 10 Set Storage
Ubuntu 11 Volume Config

Also set up how you want the volume to be formatted. Defaults are fine, but you might choose to use Logical Volume Manager to handle your storage.

Ubuntu 12 Actually Doing Stuff

Now, it will install the OS and you’ll get an occasional screen to set up an HTTP proxy, allow security updates automatically, etc.

Ubuntu 13 Proxy

Then you can choose to install just the server, or a bunch of extra tools. Since I’m using Clayton’s guide for installing Reposado and Margarita, and it has the needed download commands, I’m just going to take the OS as it’s given to me.
Ubuntu 14 Select Additionals

More installing will occur here. Get a glass of water, you’re probably not hydrated enough today.

Ubuntu 15 More Installing

After this, you’ll be prompted to setup the GRUB Bootloader. Since this is the only Linux install on the virtual disk (It is, right? It would be really weird if it weren’t.) you can accept this configuration.

Ubuntu 17 Grub

And after that all completes, it’s time to get rolling through to your VM!

Ubuntu 18 Time to Restart

You can eject the CD-ROM on the next startup cycle.

Ubuntu 19 Logged In

Once we’ve got the box up, we want to install sshd to allow for remote access, because while it’s nice to have direct command line via the VM, ssh is so much more convenient!

We’re going to need to do a couple commands here to get it:

sudo apt-get update
sudo apt-get install openssh-server

This will install the standard openssh server and prepare it for use, allowing you to login remotely. There’s a million fiddly bits associated with opens, and you may want to customize it so that two-factor works, or machine tokens like YubiKey tokens act as your key. That’s an exercise best left for the reader. For now, I’m not publicly exposing that interface as part of this process.

Now that you have an Ubuntu 17.10 server ready to go, you can follow all the instructons of Clayton’s guide for Ubuntu 14.04 for installing Reposado and Margarita (it all still works as of 17.10!)

The Mac Pro That Just Would Not Shut Down

This post is part travelogue, part breadcrumbs, part manual on how to troubleshoot a problem. It is posted here as a signpost to others, to discuss how I approached a particular problem with a 2013 Mac Pro cylinder that refused to power down.

The problem began innocuously enough. Sometime after 10.13.3, my Dad’s 2013 Mac Pro, which powers his digital photography workflows, refused to shutdown. The behavior was odd enough, if you chose Shutdown from the Apple Menu – or, as we began the process, Restart – it would close out from all open applications, log out the active user session, and then sit at a black screen, doing close to nothing. External storage volumes would occasionally report disk activity with blinking indicator lights, but the system would never shutdown, never return to a login screen, and when a key on the keyboard was depressed, make a simple “bonk” noise that indicates that input is currently unwelcome. The mouse cursor would still move, but a click would be fruitless.

The system was effectively hung after logout, but before the shutdown task was complete.

The Players

It’s important to know the actors in any play, so let’s discuss setup.

My Dad in his retirement enjoys photography, and he takes a lot of pictures. He’s also quite skilled at digital editing, and keeps Adobe Creative Suite handy to do this work. Photoshop, Bridge, Lightroom, these are his stock and trade. He has several nice cameras that take ridiculously large images, so he has amassed a collection of external storage, including a Promise RAID, a couple OWC ThunderBay arrays, and some various and sundry external storage volumes that are helpful in keeping good backups.

I have learned my backup paranoia sensitivity by watching him take the same diligence he once used to operate a submarine’s nuclear reactor to keep his backups in line. He maintains a bootable clone and multiple Time Machine backups, which came in very handy as we began to troubleshoot the problem.

So, we had:

  • A 2013 Mac Pro, well equipped with D500 Graphics cards and 64GB of RAM
  • 2 x NEC ColorSync displays, connected via Mini DisplayPort and USB for calibration purposes
  • 2 x OWC Thunderbay arrays for storage, running with SoftRAID involved for redundancy and/or speed
  • 1 x Promise Pegasus R6 array
  • 1 x OWC Thunderbolt 2 Dock for additional USB storage
  • 2 x secondary USB 3 hubs for connecting peripherals, including some film scanners and some printing tools

There’s a lot of hardware here.

Where Do We Start?

Well, there’s the obvious steps, the ones that would surely be on everyone’s list. Suffice to say, they’re easy, so we tried them first:

1. PRAM Zap
2. SMC Reset

They were entirely fruitless. The machine was heard audibly guffawing as we tried it. Still, I know Apple’s going to want us to do it before we beg for warranty support, so, we did them.

Next were removing hardware factors:

3. Disconnect Everything But The Displays, Keyboard and Mouse

I was honestly hopeful this was going to be it, because it was going to lead to some sort of weird hardware combo that lead to a race condition at shutdown time or something.

4. Update All The Things

SoftRAID was a point release or two out of date, so we updated the kernel extension and driver, and tried again.

This was also not it.

5. Reinstall the Operating System

This used to be an awful experience. Thankfully, it’s not anymore. Boot from Recovery, run the installer again, restart, cross fingers, sacrifice goat, dance naked under the light of the full moon.

Failure. Again.

6. Safe Boot

This was where things took an interesting turn. And actually, we did this part for the first time after step 3, but we started to look at the serious methods below to look for a permanent solution.

After a Safe Boot, we were able to shut down the machine.

Safe Boot as Apple helpfully explains will:

  • Only load the required System kexts
  • Prevents LaunchDaemons and LaunchAgents from loading
  • Disables user-installed Fonts
  • Deletes Caches for the Kernel and the System, and resets the Font caches

That isolated our problem to one of those four areas. As the /Library/Extensions folder is protected by System Integrity Protection, starting there seemed foolhardy. We opted for the LaunchDaemons and LaunchAgents.

At first, I started by disabling a few that we might be able to live without entirely, leaving some key LDs and LAs in place to promote the usability of the environment in the event that would solve the problem. That was not helpful. I eventually did what many old-school Mac Admins will remember doing: disabling them all, in the hopes that a clean boot would identify the culprit. Then, at least, you can use split-half testing to identify which of these objects were causing the problem.

But this wasn’t successful either.

The Fonts definitely weren’t the problem, so we left that part alone.

This was the point at which we began to consider Serious Measures™ to fix the issue.

But First: Why This Method?

Troubleshooting a problem of this difficulty is an effort to balance severity of the solution’s effects on the user’s working environment and the ability to seek out a non-destructive solution. It would be cavalier to just wipe the internal drive and re-stage the machine without knowing what wouldn’t fix it, and it could be destructive to the workflow of the user, so we left that for last. What we opted to try were the solutions I’d call the “quick” fixes:

  • Zap the PRAM
  • Reset the SMC
  • Safe Boot to clear the System and Kernel Caches

These steps can solve tricky problems and they do it in just a few minutes, getting the user back on their feet quickly. These are non-destructive solutions as they only dump resources that are quickly rebuilt by the system in a programmatic way.

What I really wanted in the midst of all this was an equivalent to the verbose boot for the shutdown process, but that process doesn’t exist, and searching through the Console and System log in the 10.12+ era is worse than looking for a needle in a haystack. So I started to look for key identifiers of a potential solution by eliminating variables.

Searching for a hardware problem can be a challenge, especially if you have bus conflicts, or related issues due to the large number of USB and Thunderbolt devices in play, so I removed those from the equation early to eliminate a key source of potential interference in the system’s good operation.

With those gone, reducing the number of root-level processes seemed to be the next key target, as user-level events were eliminated by the logout of the user. A quick attempt at culling ancient remains of programs long out of use, but whose LaunchAgents and LaunchDaemons remained behind, were part of what came next. I was sincerely hoping that there was some obscure abandoned LD or LA that was triggering our failed shutdown, but with that gone, we were left with just one solution.

As a last ditch effort, we booted from an external clone to test whether or not it might be the internal SSD that was causing the issue. The failure to shutdown was independent of the volume that it was booted from, and related purely to what was stored in the OS.

The Solution: Nuke. Pave. Migrate Back.

Yes, this is the sad end to this tale. We were left with a solution that was unappealing in its chance to damage the user’s workflow, but we were out of options. So, we opted for:

  1. Create a bootable clone of the boot volume
  2. Back the boot volume up to a Time Machine destination (or two. or three.)
  3. Boot from Recovery
  4. Wipe the boot volume
  5. Reinstall macOS High Sierra from Recovery
  6. Test the system’s functionality to look for a hardware error.
  7. Once testing is complete, use Migration Assistant to restore from the bootable clone.

This is what solved our issue.

I suspect we had a rogue or old kext that was protected by SIP, and had we disabled SIP and done split-half testing we might have found it sooner.

But, this is how I worked the problem, and I hope that if you’re reading this in front of your Mac Pro that won’t shut down, you might take some ideas from this post.

Some Thanks

Many thanks to John Lamb, Eric Holtam, Ron Sanders, Owen Pragel, and Graham Gilbert for advice and encouragement!

The 2017 Daily Carry

When a consultant friend (Hi M!) asked what I carried with me every day, it was the first time that I’d stopped to think of everything I’ve collected over the years to carry with me on a day-to-day basis. Based on their challenge, I’ve catalogued what’s in my daily carry bag, and I present it here for you. 

First up, the bag itself. I have a 2013 Timbuk2 custom messenger bag. Timbuk2 bags have two specific problems: One, they’re gorgeously designed and Two, they last forever. I’ve had a total of four since 1996, and I’ve never needed to buy a new one, I just always wanted to change up my style before the bag gave out. Better still, they have lifetime warranties, so if a part gives out, you can ship back your bag and they’ll shine it up good as new. They’re not inexpensive, but the features of the bag are substantial, and the design is wonderful. My messenger has a flap organizer in the front fascia, as well as multiple zip pockets for business cards, baseball cards, your passport, and other flat goods. The flap organizer is my catchall for small tools and keychains that I tote with me all the time.

From a hardware perspective, I carry the following:

  • Late 2016 MacBook Pro 15” with TouchBar, 1TB, 16GB
  • iPad Pro 12.9” with Apple Pencil
  • iPhone 7 Plus (Matte Black)
  • AirPods

The MacBook Pro and iPad ride back to back in the padded laptop sleeve in the center of the bag, and the iPad behind in the protected position. 

Inside my bag itself I have a couple of organizers that serve as containers for primary work tasks, and they keep the contents protected and clearly identified and organized in case I need them. The bigger of the organizers is a Skooba Cable Stable DLX, with multiple mesh pockets to allow easy visibility into the contents, and elastic tension loops to hold the contents in place.

Contents, Left Side:

  • Mini DisplayPort to DVI Adapter
  • Wired EarPods
  • USB-C to Lightning cable – 2-meter
  • USB-C to USB-C charging cable – 2-meter
  • 27W USB-C Charger
  • Diskwarrior USB Drive
  • OWC Envoy Pro Mini USB Drive
  • LED Flashlight

Contents, Right Side:

  • Lightning to 3.5mm adapter
  • Paracord USB-A to Lightning Cable
  • Thunderbolt 2 to Gigabit Ethernet Adapters (2)
  • USB-A to USB Micro Cable – 6-inch
  • Netool Smart Network Terminal
  • USB-C to Lightning Cable – 2-meter
  • Belkin USB-C to Gigabit Ethernet Adapter (2)
  • Thunderbolt 3 to Thunderbolt 2 Adapter

Contents, Center Spine Loops:

  • USB-C to USB-A Adapters (2)

I don’t have a lot of notes on this set, except to say that extras are always welcome, especially when you think about all the times your clients need something, and you just supply it out of clean blue air, and replace it later. 

In addition to my primary organizer, I also keep a smaller Cable Stable Mini outfitted with my SpecAn gear. This includes a full Metageek set, including a WiSpy DBx for peeking at the 2.4 and 5 Ghz spectrum in their entirety, as well as a Linksys AE2500 USB WiFi stick for use with Channelyzer in my Windows VM (Windows VMs on the Mac can’t talk too the AirPort interfaces, we just get a raw network socket, so this is our workaround) as well as the USB-A to USB Mini interface. In the pocket I keep the antenna and hook. Sometimes I throw the Oscium Lightning-based SpecAn in this as well, but most times it’s loose in the pocket.

And then there’s everything else! This list starts at the upper left corner and works clockwise:

  • Thunderbolt 2 cable, 2-meter
  • Carmex
  • Field Notes notebook
  • Velcro Straps
  • USB 3 SANdisk Extreme
  • Code 42 branded microfiber cloth
  • Cleaning wipes
  • POE Injector
  • OLALA 13000mAh battery
  • PSUMA-branded 4000mAh backup battery
  • sticky-backed velcro strips
  • RJ-11 and RJ-45 jack ends
  • Zipties
  • Sugru moldable plastic
  • Pentalobe and Tri-wing screwdrivers
  • Gotenna bluetooth radio for texting when there’s no cell service
  • USB-A Voltimeter/Ammeter

That’s a look inside my daily carry. It’s pretty amazing how much stuff I tote around on a daily basis. 

Tech Tips for a Hostile World

I’m not all the way through Kubler Ross just yet, but I’m starting to think about how to respond in a way that’s productive, engaged, and focused on reality.

I’m a tech person, so I’m gonna talk about tech things. There are people that are going to be able to talk to you about effective protest tips, effective lobbying, good organizations to send money to, and all those things. This isn’t about that.

One of the most important things in a hostile world is the ability to protect yourself, and your communications. I’m going to tackle this in a couple different pieces:

Encrypt Your Mac

In a world where the central authorities are scary, and where you might want to protect your data, it’s really important to have some level of data protection. I strongly recommend the Filevault 2 technology that’s built into macOS and Mac OS X 10.9 and later. If you have a laptop with fast storage (an SSD), you won’t notice a difference. If you have an older machine with a spinning drive, this will cause a 20% performance hit.

Your computer may have helped you turn this on already. Open System Preferences, go to Security & Privacy, and click on the FileVault tab.

You will see a message that is unequivocal about the status of your computer’s drive. If FileVault is off, turn it on.

When you turn on FileVault, as part of the encryption process, it will generate a key that can unlock your computer that is separate from your computer password. This is a failsafe key designed to get you back in if everything else has gone to hell. Your computer will offer to escrow the key with your iCloud account with security questions protecting it. You can provide security questions there, but know that any answers you give are case sensitive and will need to be provided to Apple exactly as they are written in order to recover that key.

I wouldn’t recommend this if you’re really concerned with security, though. I would strongly recommend you print a copy of that key and give it to someone you trust, or someone that is bound by contract to store it without turning it over, like your lawyer if you have one. You could probably talk to a trusted IT professional who would keep that key safe.

Use iOS’ Built-in Security

While the Black Jeopardy skit makes fun of using your fingerprint on your phone, saying “that’s how they get you,” the TouchID sensor on iOS devices – and coming soon to a laptop near you – is a remarkably secure technology. The TouchID sensor has a direct connection to the Secure Enclave co-processor on the device, which uses encryption techniques that even the FBI and NSA will have trouble working against. Your fingerprint is tied to your passcode, and without your passcode, on boot your phone will not accept your fingerprint as proof of identity.

That means if you’re in trouble, shut your phone off.

All of this advice applies only to personally owned phones. If you’re using a phone that work gave you, do not expect privacy on that device, and don’t sign into your secured services on a work-owned device. Work-related devices will often be enrolled in a Mobile Device Manager that your employer can use to clear your passcode and provide access to third parties. This is the end-around for the San Bernardino situation that saw Apple in court with the FBI. If the device isn’t 100% yours, it’s not something you should trust your privacy on.

Use Only End-to-End Encrypted Messaging

If you’re part of the overall iOS/macOS ecosystem now, iMessage is a technology that is encrypted from device to device, which means no one in the middle can decrypt those communications. When your device connects to the iMessage servers for the first time, it creates a set of encryption keys that are used in all future communications, and those keys are what keeps your communications secure. Every message is individually encrypted using those keys, and the public keys of the person you are talking with. No third party can read them. This is called end-to-end encrypted messaging.

Facebook’s WhatsApp also uses end-to-end encryption. Please be aware that Google’s Allo and Google Talk products do not use end-to-end encryption, nor does AOL’s Instant Messenger, nor is standard SMS encrypted. These are all technologies that can be warranted and searched, and shouldn’t be considered private communications.

Use a VPN

There are a lot of great options you have to protect your traffic from prying eyes at your internet service provider, or the ISPs of your favorite coffee shop or any other public place. I recommend Cloak which is $120/yr for unlimited data, and shunts your data traffic securely out to an Amazon instance. Their privacy policy isn’t perfect, but take solace in the fact that, at least for now, the FBI won’t be knocking on their door until well after the 16 day window for records expires.

There are other options for this, and I would encourage looking around. I’ll update this post with other suggestions.

Use a Password Manager

Lastpass, 1Password, the iCloud Keychain, these are all examples of password managers, designed to help you use unique and complex passwords to access your online accounts. It’s good practice to have a unique password for every service you use. Embrace this, and use a good password manager with a strong master password you can remember.

Use Two-Factor Authentication

Much as your ATM card is useless without the PIN you have memorized, if you’re using two-factor authentication (2FA), just having your password won’t be enough to get access. Your Google, Dropbox, Facebook, Twitter and other accounts can support 2FA, and if you want a step-by-side guide, there’s a good one at Turn on 2FA, and you can use that to help you. I’ve been using Authy on my iPhone, and it’s been pretty great so far.

Join Organizations That Will Fight For Your Privacy And Rights

We’re all just individuals, but when we band together, our powers for good can magnify. I strongly recommend picking some organizations to join and be part of to help fight the battle on your behalf. Here are some organizations I’ll be donating to:

You can pick your own, or join me with these three. Suggest more in the comments!

Never Surrender, Never Give Up

I’m pretty exhausted right now, and I’m not sleeping well, but I figured it might help to outline some things people can do to help improve their privacy in the face of a government that is increasingly hostile.

Deploying NoMAD with Configuration Profiles

It feels a little silly to be so excited about something so simple as NoMAD, but there’s nothing simple about NoMAD behind the scenes. It’s doing a lot of heavy lifting that you’d usually need binding to accomplish. Preventing the complication of binding simplifies your Mac environment. On the Macadmins.org Podcast recently, we spent an hour talking with Joel Rennich about just that.

We’ve now deployed NoMAD for a single site, using Munki to deploy the application bundle, but when it comes to deploying the preferences, I’ve decided to take some notes from the tea leaves being read and move my deployment strategy to take advantage of Mobile Configuration Profiles. Rusty Myers has a good meta-repository of Profiles if you’re not familiar with all the options available.

From our testing rig, where we finalized the settings for deployment, we built a good configuration. You can use the system defaults command to play out what NoMAD is setup to do. defaults read com.trusourcelabs.NoMAD will give you the entire contents of the prefs domain, but you don’t need everything from that file. This is what we took forward from that file:

nomad-mcx

Now, if you want the full payload of preferences, there is a published guide to all of the settings options.

defaults read displays the contents of the preferences file in the old MCX format, which is exactly what we need to generate a profile for upload to MDMs, or deployment directly via Munki. Tim Sutton has written an MCX-to-Profile python script that can take the contents of that file and turn it into a mobileconfig profile. Name the MCX file com.trusourcelabs.NoMAD so that the correct permissions domain is applied – or just change the name once the profile is built.

nomad-config

To get the profile out, we made it an update for the NoMAD installer itself, set as an unattended installation. When NoMAD is installed by Munki, it gets the profile as an upgrade in the background, installed and ready for first run. In this case, we’re using NoMAD even while bound, just to simplify the installation of an X509 identity for use with 802.1X and Cisco ISE for Wi-Fi purposes. There are a lot of good reasons to use NoMAD to simplify your world.