Join Head of Engineering Josh Wisenbaker as he walks you through our new open source product NoMAD Login. You’ll learn how to use NoMAD Login to create customized workflows including just-in-time user creation, mobile account de-mobilization, FileVault enablement at first login with APFS file systems and more.
Click on the links below to register for your preferred time.
Monday, February 26 at 3 p.m. CT
Tuesday, February 27 at 7 a.m. CT
NoMAD 1.1.1 is a minor updated incorporate a few new features and some bug fixes.
UseKeychainPrompt – Boolean – Prompts the user to sign into NoMAD at least once so that the password can be set in the keychain. This is typically used with bound systems and mobile accounts.MessageUPCAlert – String – Allows you to customize the UPCAlert notification text.AutoRenewCert – Integer – Key to specify the number of days to go on a cert before automatically renewing it.ConfigureChromeDomain.Note: this has been updated as of NoMAD 1.1 build 734 beta to reflect the new dictionary of items.
What are Keychain Updates?
New in the NoMAD 1.1 Beta is the ability to update keychain items when a user changes their password.
Currently this is listed as a dictionary of keychain item names and account pattern pairs. NoMAD will look for these items in your keychain that have an account name that matches a search pattern. It will then update the item with the new password.
We expect there to be a lot of special casing here, so please investigate what items you’d like to change and if you need additional features.
Patterns
Currently NoMAD can handle 6 different variables that you can use to create the account pattern match. These are domain, fullname, serial, shortname, upn, and email. You can build search patterns from all of these and mix with static characters. The variables are set off by << >>. For example the pattern <<shortname>>@company.com would expand to the AD shortname of the user followed by @company.com.
If an attribute is unavailable for a user it will default to blank. So <<email>> for a user with no e-mail address defined in AD will expand to “”. This may not be ideal, so please let us know if this doesn’t fit your needs.
How to make it work
First you’ll need to add an array of keychain item names
defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'test1' '"<<upn>>"'
Note the single then double quotes to properly escape the <<>> characters in that command.
Now change your password in NoMAD v. 1.1(732) or later.
Troubleshooting
New in 1.1(732) and later is the keychainItemsDebug flag that will provide more verbose output to the logs and attempt to update passwords everytime you sign in through the sign in window. This should make it much easier to determine what will be updated. Plus additional logging will be done of what items will be changed.
Keychain item example
In the keychain item below, the “Name” is what you add to the array in the NoMAD defaults. The “Account” field will need to match the substitution pattern for that item.
Feedback
We know that this current methodology won’t always line up with what you may need, as such we’d love to hear from you as to how to make this better. In particular it’s quite possible that your user’s UPN doesn’t match up with the accounts in the Keychain Item. Please let us know on GitLab or the #nomad Slack channel.