NOMAD password sync issue

Tone_vil
New Contributor II
Hello, I inherited a Mac fleet that we use JAMF pro to manage. I work for an educational institution, and we have several labs that we have bound to the domain. The previous admin implemented NOMAD this past year and now we have an issue when users change their AD passwords. The new password on those lab system is not recognized, it doesn't not seem to sync to AD, so they have to keep using the old password. I found the configuration that the admin used for the Nomad settings in JAMF but in referencing different forums/threads there doesn't seem to be many settings set that relate to the NOMAD password behavior, I've never dabbled with it so I'm trying to figure this out on the fly. I just thought I would post this to see if my suspicion is correct and for some kind of direction.
below is the plist that we are using. thanks in advance
 
 
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ADDomain</key>
<string>fake.edu</string>
<key>BackgroundImage</key>
<string>/Library/DA/fake Backgrounds/fake Blues/fakegradientl.png</string> <key>BackgroundImageAlpha</key>
<integer>0</integer>
<key>LoginLogo</key>
<string>/Library/DA/FAKE Backgrounds/FAKElogo.jpg</string>
<key>UserProfileImage</key>
<string>/Library/DA/FAKE Backgrounds/UserIcon.tiff</string> <key>CreateAdminIfGroupMember</key>
<key>KeychainReset</key>
<true/>
<key>CreateAdminIfGroupMember</key>
<array>
<string>DA</string>
</array>
</dict>
</plist>
2 REPLIES 2

AJPinto
Honored Contributor III

You seem to be straddled across a fence. The function of NoMad is to not need to Domain bind, and you are using both. 

  • NoMad cannot automatically sync or update passwords. When a user changes their password on another device, they will still need to log in to the Mac with the old password. NoMad should pickup that it has the wrong password and prompt to log in. Once the user logs in to NoMad again it should sync the LDAP password with macOS and update everything.
  • Domain Binding should tell macOS to reach out to your AD instance from the log in window and macOS "should" use the current AD PW to authenticate the user. Note with AD binding, Apple stopped developing this work flow for macOS some 10 years ago. So there are A LOT of issues with macOS in a Domain environment, especially if you change your password on another device and expect the Mac to respect AD. 
    • If these Macs are always expected to be on a network you may not want to create mobile accounts at login.
    • Updating the FileVault password will not work with Domain Binding alone, NoMad must do this or it needs to be done manually.

 

 

 

We moved off of NoMad last year to JAMF Connect. This is the last version of the configuration profile we had used. We were domain bound and using NoMad for password changes as we restricted System Pref > Users. We had consistent  issues if a user changed a password on another device also, its just the nature of the beast.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>ADDomain</key>
    <string>something.here.com</string>
    <key>CleanCerts</key>
    <true/>
    <key>ConfigureChrome</key>
    <true/>
    <key>DontShowWelcome</key>
    <true/>
    <key>GetHelpOptions</key>
    <string>https://help</string>
    <key>GetHelpType</key>
    <string>URL</string>
    <key>HideAbout</key>
    <true/>
    <key>HidePrefs</key>
    <true/>
    <key>HideSignOut</key>
    <false/>
    <key>LoginItem</key>
    <false/>
    <key>MenuHomeDirectory</key>
    <string>H Drive</string>
    <key>MenuRenewTickets</key>
    <string>Refresh</string>
    <key>RenewTickets</key>
    <true/>
    <key>SecondsToRenew</key>
    <integer>7200</integer>
    <key>ShowHome</key>
    <true/>
    <key>SignInWindowAlert</key>
    <true/>
    <key>SignInWindowOnLaunch</key>
    <true/>
    <key>UPCAlert</key>
    <true/>
    <key>UseKeychain</key>
    <true/>
    <key>UseKeychainPrompt</key>
    <true/>
    <key>Verbose</key>
    <true/>
  </dict>
</plist>

 

Tone_vil
New Contributor II

Thank you for your reply and explanation. I'm definitely going to look into moving to JAMF connect during summer, I just have to get through this semester and this password issue. I'm leaning in removing nomad all together and just leave the lab systems bound to get me through this semester with no more calls until I can spend the time to properly deploy Jamf connect.