NoMAD Credential Methodology

I finished listening to the MacAdmins podcast: Episode 78: Nolo Contendere, with Josh Wisenbaker.

Guest Josh Wisenbaker from Orchard & Grove (makers of NoMAD and NoMAD Login) discussed engineering at the Login Window level and modern security.    

I've written about NoMAD before. To learn about the products available from Orchard & Grove click the pictures below.

I want to camp out a bit regarding their product NoMAD Login+ that comes with NoMAD Pro. On the podcast, Josh Wisenbaker said they will be changing the naming of their products so NoMAD Login+ may have changed by the time you read this.

For visual learners such as myself check out "NoMAD Login+ managed via your Okta dashboard" video.

If you are not familiar with Okta then read "Okta Today and Tomorrow: Going Beyond Internal Access Management".

For an explanation regarding development read "Authentication API".

NoMAD Pro allows users to login at the Login Window using Okta credentials. If the user does not have a local account on the Mac then using Okta credentials then NoMAD Pro will create a local username that matches Okta credentials. NoMAD Pro keeps the credentials synchronized.

From NoMAD Pro’s description: "NoMAD Pro can ensure that your user’s Okta passwords are synchronized down to their local accounts on the Mac. With plugins for Safari, Chrome, and Firefox you are able to catch every time a user signs into Okta and make sure the accounts are synchronized".

If your Mac computers and enrolled in the "Device Enrollment Program' then the following workflow occurs:

  • A user unboxes their new Mac, connect to their network allowing for the enrollment into DEP and MDM. 
  • The first item seen is the NoMAD Login+ window. If the user hasn’t set up their Okta and activated Multi-Factor Authentication then the user can set up these items at the Login Window on their Mac.
  • They would then close the window and log in to their Mac account they have just set up.

NoMAD Pro keeps their credentials in sync.

This allows the inclusion of YubiKey or other third party Identity Management solutions. Very cool! 

yubikey.png

If you are unfamiliar with YubiKey by YubiCo then check out this resource.

Included in the discussion was in-depth discussion regarding handling authentication and proving one’s identity on the internet without the help of passwords.

WebAuthn and UAF

Diana Birsan refers to the talk given at OURSA

The movement away from depending on Active Directory for authentication and authorization is exciting indeed. However, I've spoken with too many administrators that will continue to refuse any methodology other than AD. I wouldn't get excited to soon. 

Packaging Part 1: What is Packaging?

Packaging is a big deal. It is the basis of software deployment in macOS. There are times that going back to the basics is important in understanding the workflow you employee. The basics remind you the importance in doing things properly going forward.

Let me share with you some basics of packaging.

There are two type of packages used in macOS.


1. Bundle - become increasingly rare in deployment. I encounter is mostly with Adobe's Creative Cloud.
2. Flat - Introduced with macOS X 10.5. Instead of being a directory like a bundle, flat packages are compressed into a single file.

For the example I downloaded the latest Adobe Reader.

Download the .dmg from Adobe's site. Double click the .dmg file. The package I am working with is inside. Take the package out of the .dmg container.

 

An example of a bundle package is be right clicking the package

A flight package is illustrated when right clicking the package.

Notice there is not an option to open "Package contents"

Pkgutil is built-in to macOS. It is accessed using the command-line. It queries and manipulates macOS Installer packages and receipts.

For further investigation I created a tmp folder on my Desktop. Also, I could use /tmp/ to ensure the OS will automatically clean up the files.

Now it's time to convert a flat package into a bundle package. It's time to expand.

pkgutil --expand 

Ex. pkgutil --expand /Users/daniel/Desktop/AcroRdrDC_1502020039_MUI.pkg /tmp/AcroRdrDC_1502020039_MUI.pkg

By right clicking the .pkg, I now receive the option to "Show Package Contents"

The directory of the package:

We can gleam some important information by examining the Distribution file.

cat /Users/daniel/Desktop/tmp/AcroRdrDC_1502020039_MUI.pkg/Distribution

I will only list a few items for space purposes that are contained in Distribution.

<title>Adobe Acrobat Reader DC (Continuous)</title>

    <pkg-ref id="com.adobe.RdrServicesUpdater" installKBytes="18294">
        <bundle-version>
            <bundle CFBundleVersion="15.020.20039" id="com.adobe.AdobeRNAWebInstaller" path="RdrServicesUpdater.app"/>
        </bundle-version>
    </pkg-ref>

The package reference id and size.
    <pkg-ref id="com.adobe.armdc.app.pkg.MUI" installKBytes="1160" packageIdentifier="com.adobe.armdc.app.pkg">

We get a peak into what the package scripts will be doing:

</choices-outline>

    <installation-check script="InstallationCheck()">

        <ram min-gb="1"/>

    </installation-check>

    <volume-check script="VolumeCheck()">

        <allowed-os-versions>

            <os-version min="10.9"/>

        </allowed-os-versions>

    </volume-check>

    <script><![CDATA[

        var gOSMinimumVersion = '10.9';

A minimum of macOS 10.9 is required with a minimum of 1 GB of RAM.

It's time to look deeper into the package archives. A sub-package in our pkg can be opened. Right click the "application.pkg" and select "Show Package Contents".

It's time to examine the build-of-materials file .bom file.

Be aware that the .bom file cannot be opened in a text editor or cat in CLI. Apple's provides a tool in the form of lsbom.

lsbom - The lsbom command interprets the contents of binary bom (bom(5)) files. For each file in a bom, lsbom prints the file path and/or requested information.

The archive contains information about location, kind, owner, group, and mode of each file and directory. 
lsbom /Users/daniel/Desktop/tmp/AcroRdrDC_1502020039_MUI.pkg/application.pkg/Bom

4 - means it’s a directory and 775 is the permission. read/write/execute for the owner. read/execute for group and other.
0/0 next the circle means it will be installed by root with the wheel group.

There is much more information to retrieve but let's keep a high overview. It's time toget more information regarding what is in the package payload. It's time for pkgutil. Remember, pkgutil expands a flat package.

pkgutil --payload

pkgutil --payload /Users/daniel/Desktop/AcroRdrDC_1502020039_MUI.pkg

Want to repackage the pkg file from a bundled package to a flat pkg?

pkgutil —flatten

I'm going to change the package name to include "AdobeReader". 

pkgutil --flatten /Users/daniel/Desktop/tmp/AcroRdrDC_1502020039_MUI.pkg ~/Desktop/adobereader_1502020039_MUI.pkg

I now have a flattened package with my customer name added in the name. 

Be aware that if you alter the package contents including the name then you loose the signed package content.

On that note:

To check the signed signature

pkgutil —check-signature

pkgutil --check-signature /Users/daniel/Desktop/adobereader_1502020039_MUI.pkg
Package "adobereader_1502020039_MUI.pkg":
   Status: no signature

Compared to my original Adobe Reader package that I downloaded and extracted the pkg from the .dmg which does have a signature.

pkgutil --check-signature /Users/daniel/Desktop/AcroRdrDC_1502020039_MUI.pkg
Package "AcroRdrDC_1502020039_MUI.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Adobe Systems, Inc.
       SHA1 fingerprint: 9D 75 C9 20 01 4A 65 04 94 A7 63 95 E3 91 93 47 04 E8 57 DF
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

This demonstrates the original package that was downloaded has not be tampered.

More uses for pkgutil?

Want to list out the packages currently installed?

pkgutil —packages

com.apple.pkg.BaseSystemResources
com.apple.pkg.ChineseWordlistUpdate.14U1262
com.apple.pkg.ChineseWordlistUpdate.14U1284
com.apple.pkg.ChineseWordlistUpdate.14U1288
com.apple.pkg.CoreADI
com.apple.pkg.CoreFP
com.apple.pkg.CustomVoice_en_US_nicky
com.apple.pkg.Essentials
com.apple.pkg.GatekeeperConfigData.14U2281
com.apple.pkg.GatekeeperDiskImageConfigData.14U2223
com.apple.pkg.IncompatibleKextConfigData.14U2228
com.apple.pkg.IncompatibleKextConfigData.14U2276
com.apple.pkg.IncompatibleKextConfigData.14U2286
com.apple.pkg.iTunesAccess
com.apple.pkg.iTunesX
com.apple.pkg.iTunesXPatch
com.apple.pkg.MobileDevice
com.apple.pkg.MRT.14U2233
com.apple.pkg.MRT.14U2271
com.apple.pkg.OSX1012IncompatibleAppList
com.apple.pkg.update.os.10.12.1Patch.16B2555
com.apple.pkg.XProtectPlistConfigData.14U4049
com.apple.pkg.XProtectPlistConfigData.14U4050
com.apple.pkg.XProtectPlistConfigData.14U4051
com.apple.pkg.XProtectPlistConfigData.14U4052
com.apple.update.firmwareupdate
com.apple.update.fullbundleupdate.16B2555
com.adobe.pkg.FlashPlayer
com.agilebits.onepassword-osx
com.apple.pkg.GarageBand_AppStore
com.apple.pkg.iMovie_AppStore
com.apple.pkg.InstallMacOSX
com.apple.pkg.Keynote7
com.apple.pkg.Numbers4
com.apple.pkg.Pages6
com.apple.pkg.RemoteDesktop
com.apple.pkg.ServerApp
com.evernote.Evernote
com.git.pkg
com.Google.GoogleEarthPlus
com.google.pkg.Keystone
com.mactrackerapp.Mactracker
com.microsoft.package.Microsoft_Excel.app
com.microsoft.package.Microsoft_Outlook.app
com.microsoft.package.Microsoft_PowerPoint.app
com.microsoft.package.Microsoft_Word.app
com.microsoft.rdc.mac
com.shedworx.smartconverter
com.tinyspeck.slackmacgap
org.virtualbox.pkg.vboxkexts
org.virtualbox.pkg.virtualbox
org.virtualbox.pkg.virtualboxcli

Yep. It list some interesting packages that catch the eye. 

CustomVoice_en_US_nicky - Did I download a voice to read the news for me? Honestly, I don't remember.

  • com.apple.pkg.GatekeeperConfigData.14U2281
  • com.apple.pkg.XProtectPlistConfigData.14U4049

Gatekeeper and XProtect are macOS's built-in tools to quarantine content such as malware that may be harmful to your Mac.

This is the first post of several that I plan on writing to help you understand packaging. "Watch for Part 2: Packing and Autopkg".

 

 

 

 

 

 

 

Learning about OpenStack - LFS152x

Keeping up with the pace of technology can be brutal. If you are not able to re-invent your skill-set then staying in a competitive salaried job becomes more difficult. I remember when job descriptions came with the statement "Must be familiar with Microsoft Office". No longer. The statement has become an expectation for a job.

The Linux Foundation is a non-profit organization that promotes...you guessed it; Linux. Part of the Linux Foundation's mission statement is "The Linux Foundation has taken its experience and expertise supporting the Linux community to help establish, build, and sustain some of the most critical open source technologies".

EdX is an online learning environment with course material to improve familiarizations in numerous topics. The Linux Foundation has worked with EdX to offer "LFS152x" Introduction to OpenStack. The course offers the user to setup their own lab environment and deploy OpenStack on Ubuntu and CentOS with DevStack and Packstack. Find out more about OpenStack.

To take advantage of this free online course you will need to create an account with EdX if you have not done so. Once you log-in type into the search menu bar "OpenStack".

OpenStack course offered by EdX and The Linux Foundation

OpenStack course offered by EdX and The Linux Foundation

You will be prompted with the option to "Upgrade to Verified". This allows you to receive official certification for $99. Essentially, you take an exam at the end of the course. I intend to pay for this because official Linux certifications are not common.

I am looking forward to the course so I can continue to broaden my technical knowledge into this brave new world.