Bug in NoMAD around updating the auto sign-in keychain item

New Contributor

I’m not sure if this is a bug or not, or maybe I’m not understanding what the preferences do…

I have UseKeychain and UseKeychainPrompt set to true.

If a user changes their password in Users and Groups, the NoMAD keychain item does not get updated automatically, so despite the actual login password being different, NoMAD does not see a problem because the keychain item is still in sync with the AD password. Auto-login continues to work with the old password.

What behaviour should I see from ‘UseKeychainPrompt’ that “forces a sign in” to capture the updated password and store it in keychain so that NoMAD isn’t basically ignoring a Users & Groups password change? (edited)
Right now I can refresh NoMAD as much as I like but nothing changes. According to the logs, it’s definitely Checking if the user has a password in the keychain


Contributor II

@HASysOps The behavior you're describing is correct. NoMAD is designed to keep your local password in sync with your AD password. It doesn't handle local only password changes based on my experience. Since the user's AD password doesn't change NoMAD doesn't trigger a local password or keychain entry change.

My recommendation is to train your users to change their password one way. Be that through NoMAD, a web portal, or whatever other solution you have available. The important bit is you let NoMAD handle the local password change. Users should always be changing their LDAP/AD/IdP password. After a successful password change NoMAD shouldn't take too long to pick up on that fact and prompt the user to change their local password.

In the case a user entirely forgets their password I generally log into our admin service account, force change their password, log into their account, and create a new keychain. At that point they can sign back into NoMAD to get a good working state. Hope that helps!

New Contributor

Thanks @nstrauss

Yes, I've gone ahead and had our Jamf Configuration Profile block out the Change Password option in System Prefs. Makes sense

Valued Contributor

You can block password change specifically? Or you blocked the whole User Pane?

New Contributor III

Enterprise Connect handles this scenario quite well. :P