Blog

Preferences and What They Do

List of defaults keys and values.

Note: the defaults can be accessed via the defaults command using the “com.trusourcelabs.NoMAD” domain. The resulting preference file can be found at ~/Library/Preferences/com.trusourcelabs.NoMAD.plist

Setting the Keys

The simplest way to set the keys is to use the defaults command.

defaults write com.trusourcelabs.NoMAD ADDomain nomad.test

will set the AD Domain to “nomad.test” for example.

Note: Boolean values can be set in one of two ways.

  1. defaults write com.trusourcelabs.NoMAD HidePrefs 1
  2. defaults write com.trusourcelabs.NoMAD HidePrefs -bool true

Both will result in the same setting. When reviewing the prefs that have been set, using defaults read, you’ll see true values as 1 and false values as 0.

Also, for keys that take a file path value, make sure that you’re escaping the paths with a \ like:

defaults write com.trusourcelabs.NoMAD ChangePasswordCommand -string "/usr/local/bin/my\ great\ script.sh"

Note that all preferences should be manageable via profiles, MDM, etc.

Sample Configuration File

A sample unsigned .mobileconfig file containing preference keys can be downloaded here.

A note about arrays in the file

Some attributes will be an array of values. You can see the structure of this with the defaults command.

defaults write com.trusourcelabs.NoMAD LocalPasswordDontSyncLocalUsers -array bob sally pat

Keys that can be managed

Key Value Type Sample Value Function NoMAD Version
ADDomain String jodapro.com Defines the AD domain you’re working with 1.0
AutoConfigure String TSL Keyword to determine what auto configuration scheme to use 1.0
AutoRenewCert Integer 30 Sets the number of days to go on a cert before automatically renewing it 1.1.1
CaribouTime Bool true Changes the icon set to Carrie the Caribou 1.0.2
ChangePasswordCommand String “/usr/bin/local/scripts/something.bash” Script or other binary to run when a password is sucessfully changed. 1.0.3
ChangePasswordOptions String “/Applications/Google Chrome.app” Task, URL or App path for ChangePasswordType (<<serial>>, <<fullname>>, <<shortname>> and <<domain>> are currently supported as substitutions) 1.0
ChangePasswordType String None Determines type of ChangePassword function (Kerberos, Task, URL, App, and None are currently supported) 1.0
ConfigureChrome Bool true Tells NoMAD to update your Chrome settings to allow for Kerberos auth with your AD domain. 1.0.3
ConfigureChromeDomain String nomad.test Tells NoMAD to update your Chrome settings to allow for Kerberos auth with for the set domain. This allows for Chrome to work with domains other than your AD Domain. Note that the domain will be automatically wildcarded, so setting a domain of “nomad.test” will result in *nomad.test being set. Multiple domains are supported, seperate them by “,” 1.0.5
DontMatchKerbPrefs Bool true Determines if the kasspwd server is written out to the com.apple.Kerberos preference domain. 1.0.3
DontShowWelcome Bool true Determines if the Welcome window is shown on first launch. 1.1.0
ExpeditedLookups Bool false If true, NoMAD will attempt to download the entire site list and iterate it locally. Possibly saving time, but also possibly causing problems. Removed
ExportableKey Bool false determines if the private key from any generate certs can be exported 1.0
GetCertificateAutomatically Bool true Determines if a certificate is automatically requested for a user when they don’t have a valid existing certificate. 1.0.3
GetHelpOptions String “/Applications/Google Chrome.app” URL or Path for GetHelpType (<<serial>>, <<fullname>>, <<shortname>> and <<domain>> are currently supported as substitutions) 1.0
GetHelpType String URL Determines type of GetHelp function (Bomgar, URL and App are currently supported) 1.0
HicFix Bool true Enables a secondary password change with AD to fix an issue with macOS 10.13.0 with AD-bound mobile accounts. 1.1.0
HideExpiration Bool true Hides the password countdown display in the menu bar. 1.0.4
HideExpirationMessage String You’re the best!’ Specifies text to show in the menu bar when the password countdown has been suppressed. 1.0.4
HideGetSoftware Bool true Determines if the Get Software menu is visible. 1.0.5
HideHelp Bool true Determines if the Get Help menu is visible. 1.0.3
HideLockScreen Bool true Determines if the Lock Screen menu is visible. 1.0.4
HidePrefs Bool true Prevents the Preferences menu from being accessible 1.0.2
HideRenew Bool true Determines if the Renew Tickets menu is visible. 1.0.3
HideSignOut Bool true Determines if the Sign Out menu is visible. 1.0.5
HideQuit Bool true Determines if the Quit menu is visible. 1.0.3
IconOff String /usr/local/icons/NoMADOff.png Specifies an icon file to use for when NoMAD is not connected. Note: this needs to be a 16×16 image to display correctly. 1.0.3
IconOffDark String /usr/local/icons/NoMADOffDark.png Specifies an icon file to use for when NoMAD is not connected in dark mode.Note: this needs to be a 16×16 image to display correctly. 1.0.3
IconOn String /usr/local/icons/NoMADOn.png Specifies an icon file to use for when NoMAD is connected. Note: this needs to be a 16×16 image to display correctly. 1.0.3
IconOnDark String /usr/local/icons/NoMADOnDark.png Specifies an icon file to use for when NoMAD is connected in dark mode. Note: this needs to be a 16×16 image to display correctly. 1.0.3
InternalSite String in-or-out.jodapro.com FQDN of a site inside your internal network Removed
InternalSiteIP String 10.0.37.23 IP address of the InternalSite Removed
KerberosRealm String JODAPRO.COM Defines your Kerberos realm 1.0
KeychainItems Dictionary {Exchange:<>} A Dictionary or Keychain Items matching an item name to an account name. On password change, NoMAD will update these items with the user’s new password. 1.1.0
LDAPAnonymous Bool true Determines if NoMAD uses anonymous LDAP binding when getting the user record. 1.1.0
LDAPServerList String 2k12.jodapro.com, ausaddc2.jodapro.com List of LDAP servers for NoMAD to use instead of doing SRV lookups 1.0
LDAPOnly Bool true Sets NoMAD to treat the remote server as just an LDAP server and not specifically AD. 1.0.5
LDAPOverSSL Bool true Determines if NoMAD uses LDAP over SSL. 1.0.3
LDAPType String OD An indication of what specific LDAP type is in use. Currently only “OD” for Apple’s Open Directory is available. 1.1.0
LocalPasswordSync Bool true Determines if we keep the local password in sync with the network password or not 1.0
LocalPasswordSyncDontSyncLocalUsers Array of Strings [“bob”, “sam”, “pat”] An array of user names that if they match the current local user, NoMAD won’t synchronize the password regardless of what user logs into AD. 1.0.5
LocalPasswordSyncDontSyncNetworkUsers Array of Strings [“bob”, “sam”, “pat”] An array of user names that if they match the AD user signing in, NoMAD won’t synchronize the password regardless of what user logs into AD. 1.0.5
LocalPasswordSyncOnMatchOnly Bool true Determines if the domain password will be synced to the local account only when the account names match. 1.0.4
LoginItem Bool false Determines wether or not to add NoMAD to the user’s start up items 1.0
MenuChangePassword String Update Account Changes the menu text of the Change Password menu item. 1.0.5
MenuGetCertificate String Update Account Changes the menu text of the Get Certificate menu item. 1.0.5
MenuHomeDirectory String Network Home Changes the menu text of the Home Directory menu item. 1.0.3
MenuGetHelp String Support Changes the menu text of the Get Help menu item. 1.0.3
MenuGetSoftware String Software Changes the menu text of the Software menu item. 1.0.3
MenuPasswordExpires String Welcome! Changes the menu text of the password expiration menu item before a user logs in. 1.0.3
MenuRenewTickets String Renew Changes the menu text of the Renew Tickets menu item. 1.0.3
MenuUserName String Changes the menu text of the user name menu item before a user logs in. 1.0.3
MenuWelcome String /usr/local/welcome/ Path to a folder enclosing an index.html file and associated resources for displaying as a Welcome screen when running NoMAD. 1.1.0
MessageLocalSync String Please provide your local password. Message text for when a user is asked for their local password to sync their network password to their local account. 1.0.3
MessageNotConnected String No dice! The text in the menu bar to display when NoMAD is not connected to the AD domain. 1.0.3
MessagePasswordChangePolicy String Your password is required to have 128 characters. Message text to display in the password change dialog to help the user understand how complext they need to be. 1.0.3
MessageUPCAlert String Your password was changed elsewhere. Message to be shown in an UPCAlert notification 1.1.1
PasswordExpireAlertTime Int 3600 The threshold, in seconds, for when to start notifying the user about their expiring password – set to 0 to never be bothered, and defaults to 15 days or 1,296,000 seconds 1.0
PasswordExpireCustomAlert String Account expiring soon Custom alert to show in the menu bar instead of days to go. 1.0.5
PasswordExpireCustomWarnTime Integer 20 Will cause the custom alert to be only shown at a specific threshold, and in yellow. 1.0.5
PasswordExpireCustomAlertTime Integer 5 Will cause the custom alert to be only shown at a specific threshold, and in red. 1.0.5
PasswordPolicy Dictionary {
minLength = 6;
minLowerCase = 2;
minNumber = 2;
minSymbol = 1;
minUpperCase = 2;
minMatches = 3;
};
Will show visual indicators to the user when changing his or her password that it does not meet policy. Note: the values need to be set as Strings in your dictionary. 1.0.4
PersistExpiration Bool false Setting this to true will display the password expiration countdown even when the user is not logged into the domain. 1.0.4
RecursiveGroupLookup Bool true Allows for recursive group lookups in AD to find all nested groups a user may be a member of. 1.1.0
RenewTickets Bool false Setting to determine if auto ticket renewal is used 1.0
SecondsToRenew Int 3600 Setting for how often to renew tickets 1.0
SelfServicePath String “/Applications/IT Software.app” Sets a path for an application to be used with the Get Software menu item 1.0
ShowHome Bool false Determines whether the AD home share is shown in the menu 1.0
SignInCommand String “/usr/bin/touch /tmp/login” Script or command to be run when NoMAD completes a successful sign in to AD 1.0
SignInWindowAlert Bool true Makes the NoMAD Sign In window the foremost window when a user is not signed in. 1.1.0
SignInWindowAlertTime Int 360 Seconds between the SignInWindowAlert making the Sign In window the foremost window. 1.1.0
SignInWindowOnLaunch Bool false This will force the Sign In window to display when NoMAD launches. 1.0.4
SignInWindowOnLaunchExclusions Array [ituser, ituser2, otheruser] An array of strings for local users that will not be shown the Sign In window automatically. 1.1.0
SignOutCommand String /usr/local/bin/signout.sh Path to a script or other binary to execute on sign out. 1.0.5
StateChangeAction String “/Library/Application Support/scripts/notify-and-update.sh” path to a script that will be launched on network changes 1.0
Template String User Auth The certificate template that you’d like to request when using the Windows CA 1.0
TitleSignIn String Password please Changes the title of the sign in window. 1.0.2
UPCAlert Bool true Determines if NoMAD will alert the user to Unannounced Password Changes, typically when the password was changed in AD and not from the user’s system. 1.0.2
UPCAlertAction String /usr/local/bin/upca.sh Path to a script or other binary to execute when a UPC Alert occurs. 1.0.5
UseKeychain Bool true Determines whether to store the Kerberos password in the user’s keychain 1.0
UseKeychainPrompt Bool true Will cause NoMAD to force a sign in to NoMAD to caputre the password in the Keychain. 1.1.1
Verbose Bool false Enables verbose logging 1.0
WifiNetworks Array of Strings CorpNet SSIDs of wireless networks you would like to associate any certificates created with NoMAD to via an identity preference in the Keychain. 1.1.0
X509CA String x509.jodapro.com FQDN of the Windows web Certificate Authority you would like to use 1.0

Keys that are used by NoMAD and should not be managed

Keys that are available but you should not manage in any way. These are set by NoMAD while running and may be useful for scripts and other uses to get information. Setting any of these via configuration profiles or other means may have unintended consequences.

Key Value Type Sample Value Function NoMAD Version
DisplayName String Joel Rennich The long name of the user currently signed in to the domain. 1.0
LastCertificateExpiration Date 2018-03-15 06:25:28 +0000 The date of expiration for the certificate matching the current AD user. If multiple certificates are found, this will reference the certificate with the most distant expiration date. 1.0.3
LastPasswordWarning Date 2018-03-15 06:25:28 +0000 The date of when the last password warning alert was given. 1.0.3
LastPasswordExpireDate Date 2018-05-15 06:25:28 +0000 The date of when the current user’s password expires. 1.0.3
LastUser String jrennich Shortname of the last user to sign in to NoMAD. 1.0.3
SignedIn Bool true True if NoMAD is currently signed into the domain. Use this to check if the current user has Kerberos tickets. 1.0.4
UserAging Bool true Determines if the currently signed in user has an expiring password. 1.0.1
UserEmail String joel@nomad.menu The currently signed in user’s e-mail attribute from AD. 1.1.0
UserHome String //dc2.eng.nomad.test/ENG-Homes/d%20eng Homedirectory path of the current user. 1.0.3
UserPasswordSetDates Array UserPasswordSetDates = {
“jrennich@ENG.NOMAD.TEST” = “2017-01-26 04:21:36 +0000”;
“jrennich@NOMAD.TEST” = “2017-03-31 03:59:22 +0000”;
};
Array of users and the date their password was set. Used by NoMAD to keep track of UPCs. 1.0.3
UserPrincipal String jrennich@ENG.NOMAD.TEST User principal for the current user. 1.0.3
UserUPN String aeng@nomad.test The UPN of the currently signed in user. 1.1.0

© 2017 Orchard & Grove Inc.