2. User Interaction
NoMAD Testing Guide
A checklist for evaluating NoMAD in your environment. This should also give you some ideas about NoMAD deployment and usability scenarios as well.
Next you will want to test additional user functionality beyond a simple sign in and sign out. To do that we’ll walk through the rest of the menu items. To begin with please sign in to AD with NoMAD so that you have a valid user already logged in and your NoMAD menu will look similar to this:
- If the currently signed in user has a password expiration date, hovering your mouse over the NoMAD icon in the menu bar will show you the actual day and time their password expires.
- Holding down the “option” key while clicking on the NoMAD menu will show the expiration date of your current Kerberos TGT and the AD Domain Controller that NoMAD is currently using for all LDAP lookups in the second item on the NoMAD menu.
- Test renewing your Kerberos ticket by using the “Renew Tickets” menu item. This will renew the ticket with AD and ensure that your Kerberos ticket has the longest duration possible. You can verify this by using the
klisttool on the command line, or by holding down the “option” key again to view the ticket lifetime in the second line of the NoMAD menu. Note that it may take a few seconds for the lifetime to update in the menu.
- Next change the user’s password by using the “Change Password” menu item. This will bring up the “Change Password” window and allow you to enter your old password and then the new password twice. When you click the “Change Password” button, NoMAD will change the user’s AD password via Kerberos.
- If no errors occurred, the user’s AD password will be changed and any password expiration dates will be updated. Note that most AD environments will only allow a password to be changed once every 24 hours. Also note that this will not change the password of the local user account on the Mac by default. That can be enabled using a preference key if desired.
- Next use the “Lock Screen” button to sleep the Mac’s screen. If you have the system configured to require password when waking the screen, you will be prompted to enter it.
- If you have a) Jamf Self Service, b) Munki Managed Software Center, or c) Lan Rev Agent installed on this system, the “Get Software” menu item will be available and will launch the appropriate self service application when clicked. Note that if you have none of those applications, this menu item will not appear. Also note that you can specify a different application to be launched by this menu by setting a preference key.
- Next use the “Get Help” menu item. This will open a web browser to http://www.apple.com/support by default. However, similar to many other menu items in NoMAD, you can set this to an application, a script, another webpage or even a Bomgar remote support session via the preference keys.
- Next select the “Preferences” menu item. Here you will find the most commonly used options and the only options that are accessible through the UI. The AD Domain will already be set, and the Kerberos Realm will most commonly be set to the uppercase version of the AD Domain. NoMAD will automatically fill this in fi you haven’t. The next two text fields are for specifying a Windows Certificate Authority and Certificate template for getting certificates from AD. The “Use Keychain” check box will allow NoMAD to store you AD password in you keychain and then automatically log you in. The “Renew Ticket” check box will determine if NoMAD automatically renews your Kerberos tickets. The text field next to this box allows a user to set how many seconds between renewing the Kerberos ticket. Finally the “Show Home Folder” will have NoMAD show a users home folder, as specified in their AD profile, in the menu.
- Finally the “Quit” menu item will quit NoMAD while keeping any Kerberos tickets intact on your system.