Jamf Nation Community

funny you say this... my teammate found this a couple of weeks ago. I've now unbound my Mac, and not logging in to ad anymore.. This utility is working great, and I have not seen any issues whatsoever... its working great for us.

I'm running NoMad as test on a Mac and also so far so good.

Had an EC demo earlier in the week from Apple as I'm pushing for unbinding as well.

the only issue i think i will have a problem with is , our WIFI check to see if the machine is in AD , i think i may run it along side a AD bind

Question, When you unbind you macs, do you keep the mobile account username(AD) or have them use a different, local account? If different, what role would NoMAD then play or provide?

Thanks

we have a script that we run to change the Accoutn type from mobile managed, back to just local , and we make them a local admin as well.
the account name stays the same.

nomad that provides us with
1) Single Signon ( With active directory )
2) sync passwords with active directory / local account
3) icon in the menu bar to inform user when their password expires

Future improvements for us
adding in drive mappings
adding in printer mappings

Even if you keep your Macs joined to AD and have users log in with AD cached mobile accounts, using something like NoMAD is an improvement to the overall experience. I've been experimenting with it here for a while. We are an AD shop, and I think getting us off of AD binds on our Macs will be the equivalent of moving mountains. Not gonna happen anytime soon. But I'm testing NoMAD out to make life easier for our Mac clients, because frankly, the AD experience for Mac users kinda sucks. Password sync issues, keychain sync issues, kerberos tickets not getting auto refreshed, no on screen notice on when your password will expire, etc. NoMAD improves on all these things and more.
Plus, if you examine their page on all the available settings that can be configured for it. it's amazingly flexible. I have mine branded with our company logo in the menu bar, have the password change menu go to our password change portal and everything, so it looks totally like something meant to be there and designed for us.
The only desire I have is that there are one or two dialogs I've seen that still use the NoMAD Caribou image that I'd like to change to something else, to fully customize it, but other than that, I love it!

@jimderlatka

Hi I'm trying to imagine my two potential workflows: 1 Machines already bound - unbind, and convert accounts to local, use Nomad for password resets to AD, syncing to keychain
2 New machines - create the local user account to match the AD username and use Nomad

Any issues with this??

Thanks for you responses!

@mm2270 Is the documentation to have the password change redirect to your portal on the Nomad site?

Cheers

@piagetblix that is exactly what we do.

for our dep enrollment, we have the user enter their active directory credentials, which in turn then creates the local account as their active directory userid.....

@piagetblix Yes it is. Refer to this page for the large amount of configurable settings:
https://nomad.menu/help-center/preferences-and-what-they-do/

You need to configure both the ChangePasswordOptions and ChangePasswordType prefs for it to work.

@jimderlatka

Another question, You mention that Nomad gives you "Single Signon ( With active directory )"

Are you using NoMAD Pro for this? Or do you mean effectively it gives you Single Signon?

were not using the pro paid version.. the utility I believe is no different, pro just gives you support.

nomad gives us single signon for authentication, and ensures your kerberos ticket is there and gets renewed...

I asked because, from what I've gleamed in the nomad slack channel there is a different Nomad-Login app that may provide a login window functionality of SSO.

Though this could be totally wrong, because I'm half asleep when I read through slack....

Yep, not crazy: https://gitlab.com/orchardandgrove-oss/NoMADLogin-AD

neat. I;ll have to look at that... havent seen it before

@mm2270

I did

defaults write com.trusourcelabs.NoMAD.plist ChangePasswordOptions -string "https://mydomain.passwordResetPage"

defaults write com.trusourcelabs.NoMAD.plist ChangePasswordType -string URL

The key changes show when I do a defaults read but the URL doesn't launch when I choose "Change Password" in NoMADs menu.

Any ideas what I'm doing wrong?

Thanks

@piagetblix So first thing is, did you quit and relaunch NoMAD after making the changes? I'm not sure if it auto recognizes any changes to a plist so the app probably needs to reload, just in case you didn't do that.
Second, can you check to see if there is a global NoMAD plist that might be overriding local user level settings? For example, check for a com.trusourcelabs.NoMAD.plist file in /Library/Preferences/
Lastly, I set up mine in a Config Profile, so some of the settings are applied at the computer level, not user level. I don't know if that would make any difference here, but it seems to work fine in my case.

Let me know if it's still not applying after checking the above items.

Hey thanks for the quick response.

I did both:
quit and relaunch. and checked in /Library/Preferences/ no global plist there.

Will give the Config Profile a shot later this afternoon.

Cheers,

Hmm, made the defaults writes a second time and it picked it up....

Ok, interesting. I didn't see anything wrong with how you posted them the first time, so, not sure. But glad it picked up and is working now.