Unannounced Password Change Alerts


Unannounced Password Change Alerts, or UPCs for short, are when the password was changed outside of NoMAD, perhaps on another machine or through Active Directory Users and Groups by an IT staff member. When using the built-in AD plugin on the Mac with bound user accounts, this can be a situation ripe for annoyance at best or disaster at worst as macOS will sync the user account but sometimes not FileVault and always not the user’s Keychain password.

How NoMAD Deals with UPCs

If the UPCAlert key is set in the NoMAD preferences, NoMAD will compare the last known password set date against the password set date in the user’s AD record. This happens every 15 minutes, on every network change or whenever the user clicks on the NoMAD menu.

If a discrepancy is seen between these dates, NoMAD will show a notification in the macOS Notification Center to alert the user that his or her password was changed in AD outside of NoMAD on this machine. By selecting that notification the user is given the opportunity to sign in to NoMAD again to validate their new password. At which point NoMAD will use the user’s old password in the Keychain to update the Keychain to the new password, as with AD-bound machines the user password should already have been updated.

Important Considerations

For this to work, the user must be storing their password in the Keychain, the UseKeychain setting in the NoMAD preferences. Also, NoMAD must be up and running on a computer when the notification is detected. If the user is signed out of his or her Mac when this happens, NoMAD is unable to do anything to fix this. In addition the Mac needs to be on the AD domain for the alert to be triggered.

The UPCAlert state is a unique situation for NoMAD, because on AD-bound machines the user password will be automatically updated by the act of checking the password, so checking the user password is not enough to determine that the user is in this state.

Other Notes

NoMAD does have the option of triggering an action to be done at the time of a UPCAlert. This is set with the UPCAlertAction preference key.

© 2017 Orchard & Grove Inc.