Nomad and multiple accounts

jleomcdo
Contributor

We have been using Nomad, the free version, for a while now. One of the issues that I face is with my “management” account. Our Macs are bound to AD and we use mobile accounts to login. Everyone uses a “standard / non-admin” account for day to day work.). I always log in to my mac with my “normal” (non admin) user account and Nomad looks fine. The problem comes in when I use my management account to “unlock” or install a program. Nomad will switch to my management account. Then when I visit any web page that uses SSO, it will try to authenticate with my MGT account. I’m looking for way to “block” or prevent Nomad from using / switching to my MGT account. I think the real issue here, is not Nomad, but me getting a Kerberos ticket when using the MGT account to authenticate for any admin task I try to do.

6 REPLIES 6

mhegge
Contributor III

No clear why you would use NoMAD if your Macs are bound to AD.

mm2270
Legendary Contributor III

@mhegge said

No clear why you would use NoMAD if your Macs are bound to AD.

Really? There are plenty of reasons, the main one being that even when bound to AD, there is nothing easily visible to the user about when their password will expire, nor any notifications that come up about it to alert them - both things you get with NoMAD installed and configured. Additionally, it provides a simple way to reset their password directly from the icon in the menubar, instead of hunting in System Preferences or other applications to find a way to do it. It also makes sure Kerberos tickets are auto renewed, something the macOS natively seems to have some problems with from my own experience. Those are just 3 reasons, but there are more.

@jleomcdo I'm not 100% sure, but have you looked over all the preference options for NoMAD from their site? I have a feeling there may be a way, via Config Profile or just using a defaults command, to set an array of users that NoMAD should ignore. I seem to remember something like that the last time I looked, but I may be mistaken. I would take a look at that though.
https://nomad.menu/help/preferences-and-what-they-do/

Chris
Valued Contributor
I think the real issue here, is not Nomad, but me getting a Kerberos ticket when using the MGT account to authenticate for any admin task I try to do.

This.
It's macOS default behaviour, NoMAD just shows you the most recently acquired ticket.

mhegge
Contributor III

@mm270 Thanks for the info. My understanding was that purpose for NoMAD and NoMAD Login was an alternative to AD binding.

My Mojave device is bound to our AD. I get a notification that my password is about to expire when it gets within 30 days of the deadline at every login until I change it. Does not mean I do not experience Keychain issues ;) We do not allow users to reset their AD account passwords.

jleomcdo
Contributor

@Chris I agree with you about the Kerberos ticket. I was just curious if others have ran into this. It's annoying!

alextaylor
New Contributor

I currently have this when I use the Microsoft Remote Desktop app to log into remote machines, in logging in, I'll be issued a Kerberos ticket which then causes NoMAD menu to switch to that account. Would be massively useful to have a preference to have it stay at one account instead of use the most recent.

I also use NoMAD menu for the password expiry reminder, ensuring the keychain password is always in sync, easy change password button and the tick to tell if I have valid Kerberos tickets features even though my Mac is AD bound still.