Enterprise Connect vs NoMAD

donmontalvo
Esteemed Contributor III

Rick Lemmon's Jamf Nation forum thread on Apple Enterprise Connect was awesome.

Curious if anyone had the opportunity to look at Trusource Labs NoMAD?

Any thoughts on how they compare? There's a good writeup/matrix here.

Apple Enterprise Connect seems like a black box...almost mafia like. Is it just me, or is it hard to find info on it?

--
https://donmontalvo.com
28 REPLIES 28

scott_borcherdt
New Contributor II

I've been doing a bit of testing with NoMAD and am hoping to get it into production next quarter, pending 802.1x wifi being supported (disclaimer: this might've been added in the past few weeks - I've been out of the loop!)

There was a great MacAdmins podcast episode on NoMAD late last year, and I've just found another was released earlier this month.

Have only seen the one page PDF on Enterprise Connect - when I read it was only available in the States I stopped searching for info.

michael-brodt
New Contributor III

You should contact your Apple Rep if you have one about Enterprise Connect. There is a demo of it on the 27th (usually one a month). I'm attending to get more information on it as well.

There is also a Slack Channel called #enterprise-connect if you join the MacAdmins Slack team. You can find more information there.

I haven't used noMAD before, so I can't really speak to it.

guidotti
Contributor II

I've been trialing out NoMAD here.
It seems like it has great potential for those of us that don't want to do the Enterprise Connect thing.
Getting it accepted by my company's approval process for new software might be tough.
The thing I like about it is, I can set various switches in it for customizations.

One I like is local account password synchronization with AD:
https://www.nomad.menu/help-center/local-password-sync/

This lets us use local user accounts, but keep the password in sync with their network accounts to prevent confusion.

KSchroeder
Contributor
Apple Enterprise Connect seems like a black box

The key word there is "Apple"...is it too surprising? :)

pete_c
Contributor III

Marriott Library's excellent Mac-Managers series also hosted a segment on NoMAD in December:

https://apple.lib.utah.edu/?p=1881

donmontalvo
Esteemed Contributor III

@KSchroeder wrote:

The key word there is "Apple"...is it too surprising? :)

5929f916e2984f58a7bccaccc51e0c2a

--
https://donmontalvo.com

dan-snelson
Valued Contributor II

@donmontalvo We've been quite happy with Enterprise Connect and have only glanced at NoMAD since we already had EC before it came out.

iJake
Valued Contributor
One I like is local account password synchronization with AD: https://www.nomad.menu/help-center/local-password-sync/

Enterprise Connect has this feature and can be enforced as on via a Configuration Profile which NoMAD does not appear to support. You can configure EC via mdm and that is a huge advantage for me. As well, it also has the ability to run a script on successful password change along with the times NoMAD can.

sphillips
New Contributor

Just wanted to let all know there's a great slack group of NoMAD users and testers. #nomad

gmarnin
New Contributor III

NoMAD supports setting preferences using a configuration profile. LocalPasswordSync should be supported in a config profile.

neilmartin83
Contributor II

We deploy NoMAD to our fleet of AD bound Macs - just over 450 of them. We replaced ADPassMon with it on all our Macs except those still running OS X 10.10 (NoMAD crashes at launch on those but we're moving away from it soon).

What we love:

  • Easy password changing for users in labs where we restrict the Users and Groups Preference Pane.
  • Password expiry warnings are nice.
  • Ability to mount the user's SMB share - we mount it at login but this is good for our staff who take laptops home and connect over the VPN - the share won't mount at login before they've connected to the VPN so this is a good workaround.
  • Ability to manage with a Configuration Profile - especially restricting the Preferences option.
  • Get Software launches Jamf Self Service.
  • We're using the Get Help menu item to launch our ticketing website but have tested it with Bomgar which we're currently trialling - it works really well for both.
  • The icon gives a good visual indication of AD connectivity which is useful for troubleshooting - i.e. on our laptops where staff sometimes connect to a different Wi-Fi network that can't reach the DC.

dnikles
New Contributor III

what nomad doesn’t solve for me, and I’m not sure if enterprise connect does, is letting someone log into a computer they haven’t logged into before. What nomad has done nicely in testing for me is allowing password changes to sync the keychain

znilsson
Contributor II

I haven't tested EC so I can't do a direct comparison. All I can tell you is that NoMAD is working very well for us as of the 1.0.2 release, and we really love the amount of user-facing information and utility it offers. It's smooth like butter for us, I've thrown it through a bunch of different scenarios like closing the lid, switching networks, sleeping, waking up, all kinds of stuff, and it never seems to throw NoMAD.

One of my favorites is the domain <-> local account password sync. Because it syncs your domain password to your local account via the keychain, it also changes it for FileVault encryption, and if you've had filevault encryption on AD-bound Macs before, you know the nightmare of password changes from the AD side, and the chaos it causes on the Mac, as that change does not affect the FV password so then you have to log in using your OLD password or you get locked out, or you get locked out 27 times, etc. NoMAD fixes all that. And from what I can see it works flawlessly. All my test Macs are encrypted, and when I change my directory password using NoMAD, I can reboot, and at the FV login screen I can use my new password. Bam!

The password expiry countdown right on the menu bar icon is priceless. That kind of user-facing info is worth its weight in bitcoin. Or something. I also have an extension attribute (not written by me) that grabs the password expiry date so you can use it in Jamf Pro. I can go to any user's Mac and see when their password expires, in the JSS. NoMAD itself does a good job of telling the user about it, 15 days before expiry the user gets a notification once per day that their password issuing to expire, with a change password button built into it. On the last day they get the notification once per hour. And when they do change it, it's changed in AD and it's changed in your keychain, and therefore changed for FileVault. Great success!

I have our "get help" option set to go to our ServiceNow portal so they can open a ticket, Get Software opens Self Service, and Lock Screen locks the screen which is just nice to have.

I'm also using a config profile to lock down the preferences, which so far is working 100%. So I can't compare to EC, all I can really say is that NoMAD is working very well in my environment.

amuriello
New Contributor

If you need to contact Apple in regards to Enterprise Connect, please email [consultingservices@apple.com](mailto:consultingservices@apple.com)

The #enterprise-connect channel on macadmins is also a great resource for information and collaboration.

The next EC Demo will be next Monday, February 27, at 10AM CST. Registration Link - http://tinyurl.com/EC21Reg

Thanks!

dpertschi
Valued Contributor

I’ve bee testing NoMAD - because I can! That alone will go a long way to my piloting and then ‘selling’ the solution to management. With EC, we’d have to write the check and then test.

Frankly, either would likely satisfy my needs, but the ease of interaction with NoMAD developers is winning for sure. I’ve had two feature requests honored already, and being a new open source project there is a lot of active and rapid development beyond the simple password sync.

Frequently in enterprise the commercial solution wins over open source simply from a trust perspective. But in this case, NoMAD has significant pedigree behind it that should not be overlooked.

The cost (lack of), access to development, and the other utility features make this one stand out for me.

al_platt
Contributor II

I've been testing NoMAD for a while and it's been working well (beta bugs excluded). However we went with EC.

EC is a one off cost with ongoing support vs a support contract for NoMAD. It's an easier sell to the business of a one off cost to Apple. I'll second the trust point too. Apple are a known vendor.

EC is very easy to setup and deploy @amuriello was our consultant and we had it setup in no time (milage may vary due to AD infrastructure though)

With regards to US only, we're UK based but have an Apple purchase agreement for our US office. Its only the install that needs to be US based. We purchased and installed in the US then rolled out to our other offices.

neilmartin83
Contributor II

We deploy NoMAD to our fleet of AD bound Macs - just over 450 of them. We replaced ADPassMon with it on all our Macs except those still running OS X 10.10 (NoMAD crashes at launch on those but we're moving away from it soon).

What we love:

  • Easy password changing for users in labs where we restrict the Users and Groups Preference Pane.
  • Password expiry warnings are nice.
  • Ability to mount the user's SMB share - we mount it at login but this is good for our staff who take laptops home and connect over the VPN - the share won't mount at login before they've connected to the VPN so this is a good workaround.
  • Ability to manage with a Configuration Profile - especially restricting the Preferences option.
  • Get Software launches Jamf Self Service.
  • We're using the Get Help menu item to launch our ticketing website but have tested it with Bomgar which we're currently trialling - it works really well for both.
  • The icon gives a good visual indication of AD connectivity which is useful for troubleshooting - i.e. on our laptops where staff sometimes connect to a different Wi-Fi network that can't reach the DC.

guidotti
Contributor II

@amuriello the WebEx is actually for Monday at 10 AM Central.

amuriello
New Contributor

thanks [@guidotti!](@guidotti)

ndeal
New Contributor III

Curious if there are any more Enterprise Connect demo's coming up in the near future... @amuriello ?

prbsparx
Contributor II

I'm one of the developers for NoMAD, and wanted to chime in a little bit: I originally got involved in the development because we were using ADPassMon, it wasn't doing everything we wanted, and I felt AppleScript wasn't robust enough. Originally, I looked at developing my own replacement for ADPassMon, but didn't have enough availability to code everything I wanted from the ground up.

I found out about NoMAD and what @mactroll was trying to do with it:
Give Mac users all the benefits of being joined to AD, without actually being bound to AD.

What does that really mean though?
1. A local user or an AD mobile account user, can use NoMAD to perform the following tasks: - change their password - renew single-sign-on tickets (kerberos tickets) - get software if a software self service application is installed - get help through a web interface, bomgar, etc.
2. Mac Administrators can configure settings through native APIs (i.e. using MDM) - Mac admins can configure how users change their password - does it sync with the local account? does it save to the keychain? - Mac admins configure NoMAD to show or hide "Get Software" or "Get Help"
3. We're constantly adding new features, we're only at V1 currently.

I've had a couple people ask why I invested my time in NoMAD as an open source developer instead of having my company buy Enterprise Connect. From my standpoint, NoMAD seemed like the follow up to ADPassMon and KerbMinder where as Enterprise Connect felt like a bandaid that Apple was putting on their built-in AD, and they were asking enterprises to pay for something that is supposed to be included in the OS. NoMAD on the other hand, is a group of Mac Admins at a variety of companies that wanted to improve the experience of Mac users and businesses while allowing Macs to be more integrated.

For those of you wanting a detailed comparison of EC, NoMAD, and AD Binding, this article on macadaminsdoc is slightly outdated, but good:
http://macadminsdoc.readthedocs.io/en/master/Integration/Active_Directory.html

Note: I'm not employed by Trusource Labs, just a random dev that jumped on the bandwagon

nomeelnoj
New Contributor III

While you can achieve the same things with NoMAD as you can Enterprise Connect, I think there is a hidden benefit to the Enterprise Connect implementation that bears pointing out. When you sign up, you are required to pay $5500, not for the product, but for the on-site implementation from specialized Apple Engineers. The benefit to having them on-site for a few days and being able to pick their brains about ANYTHING--related to your organization or not, is invaluable.

Well worth it, IMHO.

mwoodruff
New Contributor III
New Contributor III

@ndeal The next one is:

Apple PS Enterprise Connect Demo 24
Monday, April 24, 2017
10:00 am | Central Daylight Time (Chicago, GMT-05:00) | 1 hr 30 mins

Register: http://tinyurl.com/ECDemo24
After your request has been approved, you'll receive instructions for joining the meeting.

DanJ_LRSFC
Contributor III

We've been having the keychain issue again after a forced mass password reset here, so I've been looking at the situation with software such as ADPassMon/NoMAD.

I've tried both of them but I must be missing something because I don't seem to be able to set them up so that the user never sees the "Unable to unlock login keychain" dialog with the three buttons. That's the dialog that causes us problems because users either click "Continue log in" because they want to get on with their work, or "Update keychain password" because it's highlighted in blue. We actually want them to be clicking "Create new keychain" because that will get them in without any further messages popping up or them needing to remember an old password.

Does either of these pieces of software actually solve this issue, and if so is there a nice step by step guide somewhere as to how to set them up to do this? Our Macs are bound to Active Directory and users are logging in with their Active Directory user accounts.

Thanks,
Dan Jackson (Lead ITServices Technician)
Long Road Sixth Form College
Cambridge, UK.

bpavlov
Honored Contributor

You should get your users to update their keychain. I used to have end-users delete their keychain or delete it myself. But once you learn how to use keychain, it stops being a problem. I still delete it in situations where the user might not remember their password but that's rare. The benefit of not deleting their keychain is that they get to keep their certs and any passwords they may have saved in the keychain. This is one case where I'd really recommend learning it yourself and educating your users. If it's a lab, then it might be a different story but it doesn't sound like that's the case from your description.

prbsparx
Contributor II

@DanJ_LRSFC This depends on what you mean by "forced mass password reset" - if you mean all users are just required to change their password, and you did not change their password through the console, then yes, when the user signs in to NoMAD, they will be presented with a screen informing them that they must change their password. If "Local Password Sync" is enabled in NoMAD (able to be pushed through a profile) then it will synchronize the keychain password and local password.

If you mean changing the password for all the users and then informing the user of the new password, I believe the absolute latest version 1.0.4 watches AD for password changes and will inform the user if you enable that functionality (I believe the preference item is called UPCAlert).

@bpavlov I agree that it's useful to learn Keychain, however, expecting end users to learn it I think might be a little hopeful. You can also create a script that helps them fix their own keychain, that way you just ask the users to run the self service item. We did this at my last company.

Michael_Meyers
Contributor

We had Apple Enterprise Connect setup, and although it is pretty slick, it does have a limitation which made me look into NoMAD. Our password policy is not a domain level policy, which limits Enterprise Connect in seeing the countdown to the password expiration. My initial test with NoMAD fixes that issue. Our staff and students will require different configuration profiles. The student passwords don't expire. I know NoMAD has other similarities, so I will continue testing.

John_Arenz
New Contributor II

I really like NoMAD as it give us the ability to run our MacBooks unbound. However, I have one issue with the fact that NoMAD does not see the network change when my users connect to VPN. When a computer is offline or connected to public wireless, as expected, NoMAD shows "Not Connected" . When the computer connects to the LAN, NoMAD immediately goes green and displays the "Connected" message. If the same computer connects to our corp VPN, NoMAD remains in an unconnected state. I believe this is because our VPN is an SSL gateway that requires a plug-in rather than a client. Mac OS does not see a network location change when it connects. Does anyone know of a way to manually force NoMAD to look for a domain connection without Mac Os detecting a network location change?