Category "News & Information"

This started off as a smaller update, then got bigger…

Some cool new features, a few bug fixes, and then a big new feature that we know will evolve some over time. In addition, NoMAD is now all in Swift 4 and all the warnings in Xcode are gone. You can thank Josh for that work.

Bug Fixes

  • Fewer password prompts when updating keychain items. In fact… you should have no password prompts.
  • We dug deep into Kerberos and should have squashed the annoying “Domain not set” issue when attempting to change your password through NoMAD for the first time.
  • Recursive group search works with “,” in user names.
  • Allow for both and expired AD password and a non-matching local password at the same time.
  • Better handling of the current date when looking for UPC alerts. This should minimize erroneous UPC Alerts.
  • Better handling of when your SSL Cert template doesn’t actually exist on the Windows CA.

Features

  • Match any keychain item account for updates with <<ANY>>.
  • When using UPCAlerts and a URL for the password change type, NoMAD will check for new passwords every 30 seconds for 15 minutes to catch the new password change even faster.
  • The Sign In window is now unable to be closed if SignInAlert is set and the user has not signed in at least once.
  • The current AD site being used is written out to the preference file.
  • Known bad domain controllers can be blocked by listing them as an array of FQDNs in LDAPServerListDeny.
  • A new pref key, DontShowWelcomeDefaultOff will pre-tick the “Don’t show again” box on the welcome screen so users won’t have to do it themselves when it first appears.
  • UseKeychainPrompt will now show the Sign In window whenever the user does not have a password in the keychain, even if the user has signed in before.
  • Certs pulled via NoMAD can have airport and eapolclient added to them with the use of the AllowEAPOL key.

Actions Menu

We thought this would take us a bit longer… but NoMAD now includes a full actions menu which can hold as many “actions” as you’d like. Each action is a customized menu item that can have scripts and other built in actions behind it. Each item can have multiple actions chained together plus the ability to show or hide the item and even put red/yellow/green dots next to the items.

This is a fairly robust way of putting as many custom menu items as you’d like into a submenu in NoMAD.

You can read all about it here

Binding or not to Active Directory is the debate today.

A couple of years ago, the general recommendation was to bind computers to Active Directory. With the change from desktop and shared computers to 1-to-1 laptop deployments, the picture has dramatically changed.

After the Kerbminder and ADPassMon scripts, we now have two alternatives:

  • Apple Enterprise Connect
  • NoMAD

Arguments for binding or not binding to Active Directory

Topic Binding Not Binding
802.1x Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP NoMAD can request a 802.1x certificate
Kerberos tickets AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed. Enterprise Connect or NoMAD handles the renewal of Kerberos tickets
AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers) As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment
User identification and computer usage traceability Binding to AD ensures that each username and uid is used only once across the bound Mac computers MDM can better trace computer usage
Users can be admins via the directory plugin A group of users can be specified as a local admins A MDM can create a “management account” and take care of renewing the password
Password policies Password policies are handled in the AD account A Password policy can be deployed
User Password expiry Password expiry is handled in the AD account A Password policy can be deployed
Ease of setup Computer needs to have access to AD during setup No particular setup is needed For authenticated DEP, computer needs access to the MDM
Account lock Local account is locked at next login or unlock from screensaver A better way to lock the user is to issue the wipe or lock MDM command
Keychain The keychain password is not synchronized with Active Directory. When the password change is not done on the Mac, the users will get prompted to enter his old and new password Local and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to the Keychain
FileVault Password FileVault and remote passwords are not synced When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key Filevault and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to FileVault

Choosing between NoMAD and Apple Enterprise Connect

Versions used:

  • Enterprise Connect 1.6.3
  • NoMAD 1.0.3
  • macOS 10.12
x Enterprise Connect NoMAD (Active Directory binding)
Vendor Apple Open Source Apple
Support Supported by Apple PS as included in the engagement and/or AppleCare OS Support Support plans available Supported by AppleCare OS Support
OS requirement 10.9+ 10.10+ 10.3+
Single Sign-On Automatically Automatically Only at login and screensaver
Password Expiration via Notification Center via Notification Center Only at Login
Password change via menu item via menu item via System Preferences or login window
Fine Grained Password Policy support ~ (doesn’t honor password expiration time) x
Quick links to getting support and software x x
Support for changing passwords not using AD, e.g. a web-based password portal x x
Password Synchronization Only when user is logged in Only when user is logged in Automatic
Home Network Share Automount x
Network Share Automount Planned x
Support for SSO on DFS shares x Planned x
AD Binding required? x x
macOS native? Uses Apple Frameworks Uses Apple Frameworks macOS Native
Script on password change x
Script on connection completed x
Audit script x x
Distribution single .pkg single .pkg macOS Native
Configuration via a Configuration Profile (and .plist) via a Configuration Profile (and .plist) multiple ways
X509 Identity from CA x Mature
Language Support English English, French, German, Danish, Swedish All macOS languages
Maturity Mature 1.0.4 x
Installation Two-day on-site professional services engagement None None
Price $5,500 (one-time fee) Free, Support plans available ($399 to $2,500 per year) Free
Availability Contact your local Apple Sales Rep http://nomad.menu macOS Native

 

Source: http://macadminsdoc.readthedocs.io/en/master/Integration/Active_Directory.html

© 2017 Orchard & Grove Inc.