We use an IDM controller that forces Active Directory changes every 6 months. I have been testing NoMAD Login to see if it is a viable option on campus, but after changing my password through my IDM (and AD), I can no longer sign into my MacBook Pro using my newly updated AD credentials.
Have I missed something????
What you're experiencing is correct. NoMAD Login in its current design does not handle password changes. Think of NoMAD and NoMAD Login as companion products. Login creates local accounts with AD credentials, NoMAD then handles account updates including password changes.
NoMAD Login is not aware your password changed off Mac, only NoMAD is. The next time a user logs into NoMAD it should notice a password mismatch and prompt to sync them. In my case I'm only using NoMAD Login as a provisioning tool in 1:1 single user deployments. Labs can be trickier, but still work depending on your needs.
@jbanks Take a look at UPCAlert pref - https://nomad.menu/help/preferences-and-what-they-do/. User will have to be logged into NoMAD to know if passwords are different. Password mismatch should be checked on a regular basis.
@benshawuk The entire point is the AD plugin in fact does not handle this better. Plenty of people can attest to the fantastic ways mobile accounts break at every major release. Apple prefers local accounts whenever possible. NoMAD and Login are another way to move closer to more easily managing local accounts while still referring back to a central directory like AD.
@benshawuk currently, with NoMAD login they would login with their old password and NoMAD would then detect after a login that their password is different from their network password. So basically, at this time, you need to configure both NoMAD products separately. They work well and seamlessly together, but having just one in place is 50% of the solution.
At some future date, NoMAD login will have an option to check at login if the password that a user is logging in with is their current network password.
So, my org has been dealing with this NoMAD-will-not-synch-the-passwords issue for some time, even though I have it set to do so. As 2019 started, we saw a big uptick in customers whose passwords were not being synched when changed and I had to dig into NoMAD and see what the heck was happening. Here is what I found and what we decided to do about it:
-Basically, customers were letting their password completely expire (gasp!) and then call in while remote to get assistance with changing it
-Since the customer was remote in this scenario, the support agent changed their AD password to a temp one and got them on the VPN, then walk them through the steps in NoMAD to change it. It had a low "synch-success" rate, without knowing why.
One thing we discovered was that if the Mac was rebooted before the process was started, even assigning a temp password outside of NoMAD, the synch would occur. Plus, and this was a big one; the Mac would synch completely if the machine in question was on a wired ethernet connection vs. a wireless. Since making sure these two conditions are followed before the change password process is started, we've seen NoMAD synch the two passwords as it should. Maybe those tips will help you.
@benshawuk Do you have people forgetting their passwords on a regular basis? As in, the password they type in multiple times a day? I know it does happen to use once in a while, but not that often. In that case all you need to do is reset their local password and create a new keychain on next login.