NoMAD 1.1 Keychain Update options

Note: this has been updated as of NoMAD 1.1 build 734 beta to reflect the new dictionary of items.

What are Keychain Updates?

New in the NoMAD 1.1 Beta is the ability to update keychain items when a user changes their password.

Currently this is listed as a dictionary of keychain item names and account pattern pairs. NoMAD will look for these items in your keychain that have an account name that matches a search pattern. It will then update the item with the new password.

We expect there to be a lot of special casing here, so please investigate what items you’d like to change and if you need additional features.


Currently NoMAD can handle 6 different variables that you can use to create the account pattern match. These are domain, fullname, serial, shortname, upn, and email. You can build search patterns from all of these and mix with static characters. The variables are set off by << >>. For example the pattern <<shortname>> would expand to the AD shortname of the user followed by

If an attribute is unavailable for a user it will default to blank. So <<email>> for a user with no e-mail address defined in AD will expand to “”. This may not be ideal, so please let us know if this doesn’t fit your needs.

How to make it work

First you’ll need to add an array of keychain item names

defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'test1' '"<<upn>>"'

Note the single then double quotes to properly escape the <<>> characters in that command.

Now change your password in NoMAD v. 1.1(732) or later.


New in 1.1(732) and later is the keychainItemsDebug flag that will provide more verbose output to the logs and attempt to update passwords everytime you sign in through the sign in window. This should make it much easier to determine what will be updated. Plus additional logging will be done of what items will be changed.

Keychain item example

In the keychain item below, the “Name” is what you add to the array in the NoMAD defaults. The “Account” field will need to match the substitution pattern for that item.


We know that this current methodology won’t always line up with what you may need, as such we’d love to hear from you as to how to make this better. In particular it’s quite possible that your user’s UPN doesn’t match up with the accounts in the Keychain Item. Please let us know on GitLab or the #nomad Slack channel.

NoMAD 1.0.5

We’re excited to announce the release of NoMAD 1.0.5.

NoMAD 1.0.5 is primarily a maintenance release, however, we’ve fixed a few bugs, made things run a bit faster and have introduced a few new pref keys.

The bigger new features in 1.0.5 are the ability to have an LDAP-only environment where no AD is present and more granular controls on which users will have their password synced locally.

We are also localized in Spanish now as well, thanks to @lctrkid

Bug Fixes

– Not really a NoMAD bug, but NoMAD now cleans up klist output on macOS 10.10 that erroniously adds blank spaces for 0 in the issued timestamp.

– NoMAD is now happy to use network-only accounts from AD. Previously NoMAD would only work with mobile accounts.

– NoMAD pre-flights any password changes against the local system now before changing in AD. This ensures that any local password policies won’t prevent the password change from working.

– Significant changes to the password complexity warnings when changing passwords. The pref file will be much less finicky about having all of the complexity types in it. Also a popover will be shown and the user experience generally much better. Thanks to @ludeth for the help here.

– Get Software menu item will now prefer a custom path instead of any self service applications that are found. Previously NoMAD would always go to any of the installed Self Service apps and ignore the custom path.

Pref Keys

ConfigureChromeDomain – String – This will allow NoMAD to configure a domain in Chrome for Kerberos authentication beyond just the AD domain. Set this to your top-level domain that has to do with Kerberos and NoMAD will use that and wildcard any subdomains.

HideGetSoftware – Bool – This will determine if NoMAD shows the Get Software menu or not.

HideSignOut – Bool – This will determine if NoMAD hides the Sign Out menu or not.

LDAPOnly – Bool – Sets NoMAD to just use LDAP instead of treating the remote server as AD. Essentially this just tells NoMAD to not lookup the password expiration information and get the groups in a slightly different way.

LocalPasswordSyncDontSyncLocalUsers – [String] – An array of user names that if they match the current local user, NoMAD won’t synchronize the password regardless of what user logs into AD.

LocalPasswordSyncDontSyncNetworkUsers – [String] – An array of user names that if they match the AD user signing into NoMAD, that NoMAD will not synchronize the password.

MenuChangePassword – String – Allows you to override the standard Menu Item text for Change Password.

MenuGetCertificate – String – Allows you to override the standard Menu Item text for Get Certificate.

PasswordExpirationDays – Integer – Allows you to override whatever AD tells you is the standard password reset interval.

PasswordExpireCustomAlert – String – Custom alert to show in the menu bar instead of days to go.

PasswordExpireCustomWarnTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in yellow.

PasswordExpireCustomAlertTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in red.

SignOutCommand – String – Path to a script or other binary that you want to execute when a user signs out of NoMAD.

UPCAlertAction – String – Path to a script or binary that you want to execute whenever a UPCAlert is triggered. Pull Request credit to Ryan Jenkins.


NoMAD 1.0.5 package installer and zip file are now available in Downloads.

NoMAD 1.1 Shares Preferences

With NoMAD version 1.1 just a short ways around the corner, we wanted to start sharing the Shares preference file… see what we did there!?!

Note: As a beta this file format is still subject to change… but we wanted to give you an idea of what was coming.

What is this?

With 1.1 NoMAD will be able to arbitrarily mount shares specified in a preference file. Since the shares are rather different than the rest of the NoMAD preferences, we’ve put them into a new plist to make things easier.

Where does it go?

Currently this preference is at menu.nomad.shares, but as with all things beta, this may change.

How do you make it?

There are 3 top-level objects in the file.

1. Version – this is the version number of the file format. Currently the only version is 1

2. HomeMount – This is a Dictionary of attributes for if the user’s home profile should be mounted.

Groups – [String] – Only mount the home for members of these AD groups
Mount – Bool – Mount automatically or not
Options – [String] – Array of mount options defined below

3. Shares – [Dictionary] – An array of dictionaries with each dictionary defining a mount point and associated attributes. Below is what goes into each Dictionary
AutoMount – Bool – Is the share automatically mounted
ConnectedOnly – Bool – Is the share only mounted when on the AD domain
Groups – [String] – An array of AD group names. This share will only automount for members of that group
LocalMount – String – A local mount point
Name – String – The name of the share as it will appear in the NoMAD menu item
Option – [String] – Array of mount options defined below
URL – String – The actual URL of the mount point in the form of “smb://dc1.nomad.test/Homes”


First off huge thanks to @frogor for having figured these out. Note that most of these are probably not very useful or safe. Please use at your own risk. The primary ones that most admins will care about are MNT_RDONLY, MNT_DONTBROWSE and MNT_NOEXEC.

"MNT_RDONLY" - Mounts the share read only
"MNT_SYNCHRONOUS" - All I/O to the file system should be done synchronously.
"MNT_NOEXEC" - Prohibts execution of code from the share
"MNT_NOSUID" - Do not allow set-user-identifier or set-group-identifier bits to take effect.
"MNT_NODEV" - Do not interpret character or block special devices on the file system.
"MNT_UNION" - Causes the namespace to appear as the union of directories of the mounted filesystem with corre-
sponding directories in the underlying filesystem.
"MNT_ASYNC" - All I/O to the file system should be done asynchronously.
"MNT_EXPORTED" - Filesystem is exported
"MNT_QUARANTINE" - File system is quarantined
"MNT_LOCAL" - File system is stored locally
"MNT_QUOTA" - Quotas are enabled
"MNT_ROOTFS" - Identifies the root filesystem
"MNT_DOVOLFS" - Filesystem supports volfs (deprecated flag in Mac OS X 10.5)
"MNT_DONTBROWSE" - Does not display the share in the Finder
"MNT_IGNORE_OWNERSHIP" - Ignore ownership information on file system objects
"MNT_AUTOMOUNTED" - Set flags on the mountpoint to indicate that the volume has been mounted by the automounter.
"MNT_JOURNALED" - Mount filesystem journaled
"MNT_NOUSERXATTR" - User extended attributes not allowed
"MNT_DEFWRITE" - Filesystem should defer writes
"MNT_MULTILABEL" - Support for individual labels
"MNT_NOATIME" - Do not update the file access time when reading from a file.

Preference file itself

{ HomeMount = {
Groups = ( "Domain Users" );
Mount = false;
Options = ( );
Shares = (
{ AutoMount = false;
ConnectedOnly = true;
Groups = ( "Share Mounter Test" );
LocalMount = "";
Name = "File Server 2";
Options = ( );
URL = "smb://dc2.eng.nomad.test/Files";
{ AutoMount = true;
ConnectedOnly = true;
Groups = ( );
LocalMount = "";
Name = "Home Shares";
Options = ( );
URL = "smb://dc1.nomad.test/Homes";
Version = "1";

LDAP Only Support

Starting with NoMAD 1.0.5(640)BETA NoMAD can now support environments that don’t have Active Directory. If you have a Kerberos environment that has been integrated with an LDAP server, NoMAD can give you the same functionality that you would get if AD was in the mix. Since there’s a variety of different LDAP setups, please test this in your environment and let us know if it’s missing anything.

Getting it working

NoMAD is designed to automatically configure as much as possible and relies on a number of AD-focused methods to do that. In the situation where you don’t have an AD environment you may not have all of these services in place. Don’t worry! As you can manually configure everything that you may need.

Starting Off

To get NoMAD to start doing LDAP-only queries you can set the LDAPOnly preference key to true.

SRV Records

NoMAD by default attempts to find both LDAP and Kerberos services via SRV records in your DNS. You most likely have these for your Kerberos KDCs, but you may not have the records for your LDAP servers. To get around this you can just designate your LDAP servers manually with the LDAPServerList preference key to a comma separated list of your LDAP servers.


Many LDAP environments are configured to use LDAP over SSL. NoMAD fully supports this, but you’ll need to set the LDAPOverSSL preference key to true.

Test It!

NoMAD will allow for password changes, scripts and other actions, sign in and sign out and local password synchronization. The only major feature that you won’t have will be the password expiration countdown. This is mostly because there’s no real standard way to do this in an LDAP-only environment. However, if you’re interested in this please let us know and how you’ve implemented it, as this is something we’d be happy to put more work into.