NoMAD 1.1.4 Released!

NoMAD 1.1.4


Overall, a mix of small tweaks, some bug fixes in particular to automatic cert generation and keychain item handling. If you’re using NoMAD to pull certs, this would be a good update to do, otherwise most of the other changes are more minor.


Most of the changes are non-UI based. The biggest impact to the users may be the icon change when clicking on the icon as we use the dark icon to invert when clicked on. If you’re using custom icons, make sure you’ve set a the dark ones as well to allow for this inversion.

We hope to address our longest running issue, the lack of a Kerberos domain being set, when attempting to change a password for the first time. With 1.1.4 we will now write out a preference file to ~/Library/ with your AD domain as soon as NoMAD is launched for the first time.

An additional long-running issue is also addressed in that using the TitleSignIn key will work more consistently.

As mentioned above, if you’re using NoMAD to automatically pull certs, this would be a good update to install as a number of issues have been fixed.

Change Log

– fix for Sign In window not fully displaying
– About menu now in menu
– icon now alternates when clicking on the NoMAD icon in the menu bar
– icon alternates correctly when in dark mode
– Kerberos preferences written out on first launch to further prevent the “Domain not found” error when changing passwords
– Certificate expiration computed better, and won’t crash on an already expired cert
– Automatically getting certs won’t cause a massive amount of certs to be generated
– Certificate cleaning will only happen if asked
– User password in the keychain will be looked for in many ways to ensure that the user name case isn’t an issue
– better defaults printing in the logs with -prefs
– fix for Sign In Window title not showing correctly when forced
– better handling of when all DCs in a site go down
– action menu fixes to correct actionTrue and to allow for cutom titles and red/yellow/green icons
– ability to get custom list of attributes from AD
– better handling of shares in the Shares Menu when switching users
nomad://getuser will put entire AD user record into the logs
– AppleScript Support
– Option to always make the current local user the primary Kerberos ticket
– Minor update to German localization
– Option to auto-mount shares via the Finder
– Write out current domain controller to NoMAD preferences

NoMAD 1.1.3 released!

This started off as a smaller update, then got bigger…

Some cool new features, a few bug fixes, and then a big new feature that we know will evolve some over time. In addition, NoMAD is now all in Swift 4 and all the warnings in Xcode are gone. You can thank Josh for that work.

Bug Fixes

  • Fewer password prompts when updating keychain items. In fact… you should have no password prompts.
  • We dug deep into Kerberos and should have squashed the annoying “Domain not set” issue when attempting to change your password through NoMAD for the first time.
  • Recursive group search works with “,” in user names.
  • Allow for both and expired AD password and a non-matching local password at the same time.
  • Better handling of the current date when looking for UPC alerts. This should minimize erroneous UPC Alerts.
  • Better handling of when your SSL Cert template doesn’t actually exist on the Windows CA.


  • Match any keychain item account for updates with <<ANY>>.
  • When using UPCAlerts and a URL for the password change type, NoMAD will check for new passwords every 30 seconds for 15 minutes to catch the new password change even faster.
  • The Sign In window is now unable to be closed if SignInAlert is set and the user has not signed in at least once.
  • The current AD site being used is written out to the preference file.
  • Known bad domain controllers can be blocked by listing them as an array of FQDNs in LDAPServerListDeny.
  • A new pref key, DontShowWelcomeDefaultOff will pre-tick the “Don’t show again” box on the welcome screen so users won’t have to do it themselves when it first appears.
  • UseKeychainPrompt will now show the Sign In window whenever the user does not have a password in the keychain, even if the user has signed in before.
  • Certs pulled via NoMAD can have airport and eapolclient added to them with the use of the AllowEAPOL key.

Actions Menu

We thought this would take us a bit longer… but NoMAD now includes a full actions menu which can hold as many “actions” as you’d like. Each action is a customized menu item that can have scripts and other built in actions behind it. Each item can have multiple actions chained together plus the ability to show or hide the item and even put red/yellow/green dots next to the items.

This is a fairly robust way of putting as many custom menu items as you’d like into a submenu in NoMAD.

You can read all about it here

NoMAD 1.1.2 Released

This is a minor update to NoMAD mainly to correct some issues with certificate retrieval.

Updates in this release:

  • fix for pulling certs too often when GetCertAutomatically is set
  • fix for LDAPServerList not working
  • remove build numbers from UI since builds are now in version number

If you are not using LDAPServerList or GetCertAutomatically there is not much need to update.

NoMAD 1.1 Released!

We’re excited to announce that NoMAD 1.1 is available! Here’s an overview of what’s changed.

  1. Shares Menu – this is our biggest new feature since the initial launch of NoMAD almost a year ago. The Shares Menu allows you to provide a number of file shares for your users and mount them as needed based upon group membership and with variable substitution in the URLs.
  2. Keychain Item synching – NoMAD will updated a collection of Keychain items each time the user changes his or her password in AD.
  3. 802.1x TLS profiles – NoMAD can associate a user cert from AD with an 802.1x wireless profile.
  4. Welcome window – first time users of NoMAD can be shown a standard introduction to what NoMAD is, or get a custom HTML page that’s specific for your environment.
  5. Recursive group lookups – you can specify all groups to be returned, including nested groups. Note that this may increase look up times.
  6. FirstRunDone – in conjunction with the Welcome window, you can now know when the first time NoMAD has run.
  7. Anonymous LDAP – NoMAD can now be functional in non-AD environments that have anonymous binding.
  8. Open Directory Support – there is now a specific setting for OD to handle the differences between OD and other forms of LDAP servers.
  9. Sign In Window changes – the sign in window can be excluded from automatically showing for certain users. This is particular handy for when you login to a machine as a local admin and do not want to be pestered by the NoMAD Sign In window constantly popping up. On the other hand, NoMAD can now be configured to make the Sign In window pop to the front of all windows in the Finder on a regular basis for users that either forget to sign in or are actively trying to ignore signing in.
  10. More user attributes – NoMAD will now record a users’s e-mail address and UPN from his or her AD account and store this in NoMAD’s preference file.
  11. Fix for High Sierra not updating passwords in AD when changing the password for Mobile Accounts.
  12. Russian localization
  13. Some updates to having NoMAD use more of the Kerberos APIs for things like determining which of your current Kerberos tickets is your default.

Please see our knowledge base article on all preferences to see the new ones for 1.1 that can manage these settings.

NoMAD 1.0.5

We’re excited to announce the release of NoMAD 1.0.5.

NoMAD 1.0.5 is primarily a maintenance release, however, we’ve fixed a few bugs, made things run a bit faster and have introduced a few new pref keys.

The bigger new features in 1.0.5 are the ability to have an LDAP-only environment where no AD is present and more granular controls on which users will have their password synced locally.

We are also localized in Spanish now as well, thanks to @lctrkid

Bug Fixes

– Not really a NoMAD bug, but NoMAD now cleans up klist output on macOS 10.10 that erroniously adds blank spaces for 0 in the issued timestamp.

– NoMAD is now happy to use network-only accounts from AD. Previously NoMAD would only work with mobile accounts.

– NoMAD pre-flights any password changes against the local system now before changing in AD. This ensures that any local password policies won’t prevent the password change from working.

– Significant changes to the password complexity warnings when changing passwords. The pref file will be much less finicky about having all of the complexity types in it. Also a popover will be shown and the user experience generally much better. Thanks to @ludeth for the help here.

– Get Software menu item will now prefer a custom path instead of any self service applications that are found. Previously NoMAD would always go to any of the installed Self Service apps and ignore the custom path.

Pref Keys

ConfigureChromeDomain – String – This will allow NoMAD to configure a domain in Chrome for Kerberos authentication beyond just the AD domain. Set this to your top-level domain that has to do with Kerberos and NoMAD will use that and wildcard any subdomains.

HideGetSoftware – Bool – This will determine if NoMAD shows the Get Software menu or not.

HideSignOut – Bool – This will determine if NoMAD hides the Sign Out menu or not.

LDAPOnly – Bool – Sets NoMAD to just use LDAP instead of treating the remote server as AD. Essentially this just tells NoMAD to not lookup the password expiration information and get the groups in a slightly different way.

LocalPasswordSyncDontSyncLocalUsers – [String] – An array of user names that if they match the current local user, NoMAD won’t synchronize the password regardless of what user logs into AD.

LocalPasswordSyncDontSyncNetworkUsers – [String] – An array of user names that if they match the AD user signing into NoMAD, that NoMAD will not synchronize the password.

MenuChangePassword – String – Allows you to override the standard Menu Item text for Change Password.

MenuGetCertificate – String – Allows you to override the standard Menu Item text for Get Certificate.

PasswordExpirationDays – Integer – Allows you to override whatever AD tells you is the standard password reset interval.

PasswordExpireCustomAlert – String – Custom alert to show in the menu bar instead of days to go.

PasswordExpireCustomWarnTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in yellow.

PasswordExpireCustomAlertTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in red.

SignOutCommand – String – Path to a script or other binary that you want to execute when a user signs out of NoMAD.

UPCAlertAction – String – Path to a script or binary that you want to execute whenever a UPCAlert is triggered. Pull Request credit to Ryan Jenkins.


NoMAD 1.0.5 package installer and zip file are now available in Downloads.

NoMAD 1.0.4

We’re excited to announce the release of NoMAD 1.0.4 today.

This release picks up a few bugs from 1.0.3, adds another localization, gives more options on how to display the password expiration countdown, and then implements a fairly comprehensive new set of password policies. You can find the complete list of issues here.

A few highlights:

  1. Password countdown – If you don’t want to see it, you can hide the password expiration countdown regardless of if the user’s password is set to expire in AD. You can do this via defaults write com.trusourcelabs.NoMAD HideExpiration 1. On the other hand… if you want to see the countdown more often, you can set that as well so that NoMAD will keep the countdown in the menu bar even if the user is not logged into AD. You can set this by defaults write com.trusourcelabs.NoMAD PersistExpiration 1.
  2. UI changes – You can now close all windows with cmd-W, we’d not even realized we weren’t doing that. Now it’s fixed. Also there’s a spinner that shows up when you’re logging in or changing your password. This give the user some better feedback that something’s going on under the covers.
  3. Spaces in names – You may not have realized, but NoMAD supports users with a space in their short name. I didn’t realize that AD even allowed that, but it does… Now NoMAD supports spaces in the home share as well.
  4. Prompting users to sign in – NoMAD can now put up a Sign In window after launch as soon as the domain is reachable and a user isn’t already signed in. You can use this for prompting your users to sign in after logging into their Mac. Enable this with defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch 1.
  5. Ignoring password sync – It’s possible to want NoMAD to sync the AD password down onto the local user, but not want that all the time. Now you have two ways of doing this. First you can use the alternative Sign In, by holding down control-option when clicking the NoMAD menu. When signing in this way, no synchronization will be done. You can then sign out, and the original Kerberos credential will be intact. Secondly you can tell NoMAD to only sync passwords when the AD name matches the local user name. Enable this with defaults write com.trusourcelabs.NoMAD LocalPasswordSyncOnMatchOnly 1.
  6. Password policies – This is probably the biggest new feature of 1.0.4. You can now tell NoMAD what your AD password policy is and NoMAD will ensure that’s met before allowing the user to change their password. You can set this policy by defaults write com.trusourcelabs.NoMAD PasswordPolicy -dict minLength 6 minUpperCase 2 minLowerCase 2 minNumber 2 minSymbol 1 and then the user will get red and green dots next to the passwords in the Change Password window.Screen Shot 2017-04-16 at 9.17.24 PMMousing over the colors will then tell the user exactly what part of the policy the password is not meeting. The Change Password button will only be enabled when the password meets the policy. In addition NoMAD will now ensure the new password can actually be set locally, if you have password syncing enabled, and alert the user that the password isn’t compliant.

We’ve also updated the list of preference keys for all of the new 1.0.4 versions.

Keep the feature requests coming, and we’ll keep making NoMAD better!