Best Practices for Accessing Active Directory via NoMAD

NoMAD or Apple's Kerberos SSO can both allow users to change their passwords. 

I'm a bit confused on where you said updating while connecting to VPN isn't an option. What I've previously done is just used a web URL to our password change portal (which you can customize NoMAD or Kerberos to point the Change Password button to) and then next time the computer is on VPN after the password change, it prompts to sync the password with the local user password, filevault, etc.

To clarify, I meant that because the laptops are not bound to AD, that simply changing the local password while connected to the VPN would not also update the AD password. We're looking for a solution to update both simultaneously without requiring being connected to our network via VPN.

We don't presently have a password change portal to point a user to in order to update their AD password. If we were to, is that functionality of it comparing the AD password to the local password when connected to VPN and updating the local password a built in function in NoMAD?

Our ideal scenario would be to allow the user to simply click the Change Password option in NoMAD and update both their AD password and local password simultaneously, while not being required to be connected to our network via VPN. This appears to be possible, but seems to require opening up access to our AD server to allow NoMAD to reach it, which is a concern.

You'll need a fancy solution like that or you'll need to get them to VPN into the network. There's no magic way otherwise.

I typed up a whole response before, not sure where it went!

To clarify about the VPN, I was referring to the ability to simply change the password and have it update both the local password and AD password when bound to AD and on our network via VPN. We're looking for a simple solution to update both AD and local passwords simultaneously while not bound and not requiring being on the network via VPN.

We don't currently have a portal for our users to update passwords in AD. If we were to, what is that functionality that updates the local password to match the AD password when it's on the VPN? Is that something that is built in to NoMAD that will automatically check the AD password and sync it down to the computer when connected to the VPN?

The solution we're hoping to implement would be using NoMAD's built in Change Password option to update both the AD password and local password simultaneously. This works easily while on our network via the VPN, but we're hoping for a secure way to do it without requiring a connection to the network via VPN. This appears to require opening up access to AD, which is concerning to us. Hoping for some insight into how others have handled this securely.

The fancy solution we're hoping for is a secure way to allow our user's computers to reach our AD server via NoMAD without having to be on our network via VPN. Hoping for some insight into how others have securely opened up access to their AD servers, if it's possible.

Yes, there is the functionality built in to NoMAD where it sees your AD password different than local password and prompts to sync. Should occur within 15 minutes of a password change

Thank you very much for that information! I wasn't aware that NoMAD had that functionality. We're definitely hoping to update both the AD password and the local password simultaneously with one single action. Having to push our users to a website to update their password, then their local password doesn't match until they both connect to the VPN and follow the prompt to sync, sounds like it could create some confusion and headaches for them and for us. We'll definitely keep that in mind though if we're not able to accomplish a more streamlined version of this process.

@MNussbaumNoMAD only works against internal AD, not Azure or any other IdP.

If your org has no immediate plans to move services to Azure, you might be suited to look at a Zero Trust Private Access solution. There are a few SaaS solutions that can give you ‘direct’ access to your internal AD, while you're external. With that in place, NoMAD will happily continue to do its thing both on/off the network. Use NoMAD to change your password and it updates in AD and locally.

Thank you! I believe that is pretty much exactly what we're looking for. We obviously don't want to open that AD server up to the world, so we've been wondering how others are accomplishing hitting it securely with NoMAD from an external network.

Do you happen to know of any examples of SaaS solutions that provide a straightforward solution for this particular use case?

Zscaler and Wandera are two I know of.