Jamf Nation Community

MNussbaum · ‎09-08-2021

Good morning!

With our entire staff working remotely, we need to implement a solution that allows them to update their local and AD passwords simultaneously with ease. We've moved away from binding, so updating while connected to our VPN isn't an option. We're running an on-prem AD (with no current timeline on moving to Azure), so that solution seems to be NoMAD. We're concerned about opening up our AD for the purpose of allowing our users to hit it with NoMAD.

Those of you who are using or have used NoMAD, can you please share the route you took to make your AD accessible to your users and why you felt secure about going that route?

Thank you!

ljcacioppo · ‎09-08-2021

NoMAD or Apple's Kerberos SSO can both allow users to change their passwords.

I'm a bit confused on where you said updating while connecting to VPN isn't an option. What I've previously done is just used a web URL to our password change portal (which you can customize NoMAD or Kerberos to point the Change Password button to) and then next time the computer is on VPN after the password change, it prompts to sync the password with the local user password, filevault, etc.

MNussbaum · ‎09-08-2021

To clarify, I meant that because the laptops are not bound to AD, that simply changing the local password while connected to the VPN would not also update the AD password. We're looking for a solution to update both simultaneously without requiring being connected to our network via VPN.

We don't presently have a password change portal to point a user to in order to update their AD password. If we were to, is that functionality of it comparing the AD password to the local password when connected to VPN and updating the local password a built in function in NoMAD?

Our ideal scenario would be to allow the user to simply click the Change Password option in NoMAD and update both their AD password and local password simultaneously, while not being required to be connected to our network via VPN. This appears to be possible, but seems to require opening up access to our AD server to allow NoMAD to reach it, which is a concern.

MNussbaum · ‎09-08-2021

I typed up a whole response before, not sure where it went!

To clarify about the VPN, I was referring to the ability to simply change the password and have it update both the local password and AD password when bound to AD and on our network via VPN. We're looking for a simple solution to update both AD and local passwords simultaneously while not bound and not requiring being on the network via VPN.

We don't currently have a portal for our users to update passwords in AD. If we were to, what is that functionality that updates the local password to match the AD password when it's on the VPN? Is that something that is built in to NoMAD that will automatically check the AD password and sync it down to the computer when connected to the VPN?

The solution we're hoping to implement would be using NoMAD's built in Change Password option to update both the AD password and local password simultaneously. This works easily while on our network via the VPN, but we're hoping for a secure way to do it without requiring a connection to the network via VPN. This appears to require opening up access to AD, which is concerning to us. Hoping for some insight into how others have handled this securely.

ljcacioppo · ‎09-08-2021

Yes, there is the functionality built in to NoMAD where it sees your AD password different than local password and prompts to sync. Should occur within 15 minutes of a password change

MNussbaum · ‎09-08-2021

Thank you very much for that information! I wasn't aware that NoMAD had that functionality. We're definitely hoping to update both the AD password and the local password simultaneously with one single action. Having to push our users to a website to update their password, then their local password doesn't match until they both connect to the VPN and follow the prompt to sync, sounds like it could create some confusion and headaches for them and for us. We'll definitely keep that in mind though if we're not able to accomplish a more streamlined version of this process.

boberito · ‎09-08-2021

You'll need a fancy solution like that or you'll need to get them to VPN into the network. There's no magic way otherwise.

MNussbaum · ‎09-08-2021

The fancy solution we're hoping for is a secure way to allow our user's computers to reach our AD server via NoMAD without having to be on our network via VPN. Hoping for some insight into how others have securely opened up access to their AD servers, if it's possible.

dpertschi · ‎09-09-2021

@MNussbaumNoMAD only works against internal AD, not Azure or any other IdP.

If your org has no immediate plans to move services to Azure, you might be suited to look at a Zero Trust Private Access solution. There are a few SaaS solutions that can give you ‘direct’ access to your internal AD, while you're external. With that in place, NoMAD will happily continue to do its thing both on/off the network. Use NoMAD to change your password and it updates in AD and locally.

MNussbaum · ‎09-09-2021

Thank you! I believe that is pretty much exactly what we're looking for. We obviously don't want to open that AD server up to the world, so we've been wondering how others are accomplishing hitting it securely with NoMAD from an external network.

Do you happen to know of any examples of SaaS solutions that provide a straightforward solution for this particular use case?

dpertschi · ‎09-09-2021

Zscaler and Wandera are two I know of.

Jamf Nation Community

Best Practices for Accessing Active Directory via NoMAD