NoMAD Testing Guide
This guide serves as a checklist for evaluating NoMAD in your environment. It should also give you some ideas about NoMAD deployment and usability scenarios as well.
Start at the beginning by downloading a fresh copy of NoMAD on a fresh Mac. It doesn’t matter if the Mac is bound to AD or not; NoMAD will work either way.
You can find the download here, in the Support section of the website.
- Launch NoMAD. The binary is signed, as all good applications should be, and can be run from any location. The application’s icon is a caribou, the most nomadic land mammal in the world.
- If you’re not bound to AD, you’ll be presented with a Preferences window. The only field you need to fill out at this time is the “AD Domain” field at the top.
- If you are bound to AD, you will not see the Preferences window, as NoMAD will automatically determine your AD Domain and use that. You can change this later by using the Preferences window, or through other means.
- Once NoMAD has launched, you’ll see a triangle icon in the Menu Bar at the top of your screen. If you are not able to reach your AD Domain, you’ll see “Not Connected” next to the icon. If you can reach your domain, you’ll see the same triangle without any text. Finally, if you already have a Kerberos ticket for the current user, you will see a green check mark in the triangle. The icons are shown below.
- If the icon has “Not Connected” next to it, sign in to your VPN or otherwise connect to your organization’s network so that your AD Domain Controllers (DCs) are able to be reached by the system running NoMAD. NoMAD will automatically detect when the network has changed and will update accordingly.
- Once connected, you can sign in to NoMAD if you do not have a green check mark in the NoMAD icon in the menu bar. Do this by using the “Sign In” option on the menu. If you’re unable to contact the DCs, you won’t be able to use the “Sign In” menu item.
- This will activate the Sign In window where you can sign in as an AD user. You can simply use the user’s short name, or you can use their full email@example.com handle. Note that there is no need to enter the NT Domain before the user name.
- Upon successful authentication, you will now have a Kerberos TGT for that AD user and will be able to sign in to all Windows SSO resources, which may include websites, file servers, and some applications.
- If your user has a password expiration policy, the number of days until that user’s password expires will be shown on the menu bar next to the NoMAD icon and on the second line of the NoMAD menu itself. If the user does not have an expiration date, then no text will be next to the NoMAD icon and the second line of the NoMAD menu will show “password does not expire”.
- To remove your SSO credentials, you can use the “Sign Out” menu item.
Next, you’ll want to test additional user functionality beyond a simple sign in and sign out. To do that, we’ll walk through the rest of the menu items. To begin, sign in to AD with NoMAD so that you have a valid user already logged in. Your NoMAD menu should look similar to this:
- If the currently signed in user has a password expiration date, hovering your mouse over the NoMAD icon in the menu bar will show you the actual date and time that their password expires.
- Holding down the “option” key while clicking on the NoMAD menu will show the expiration date of your current Kerberos TGT, and the AD Domain Controller that NoMAD is currently using for all LDAP lookups in the second item on the NoMAD menu.
- Test renewing your Kerberos ticket by using the “Renew Tickets” menu item. This will renew the ticket with AD and ensure that your Kerberos ticket has the longest duration possible. You can verify this by using the
klist tool on the command line, or by holding down the “option” key again to view the ticket lifetime in the second line of the NoMAD menu. It may take a few seconds for the lifetime to update in the menu.
- Next, change the user’s password by using the “Change Password” menu item. This will bring up the “Change Password” window and allow you to enter your old password and then the new password twice. When you click the “Change Password” button, NoMAD will change the user’s AD password via Kerberos.
- If no errors occur, the user’s AD password will be changed and any password expiration dates will be updated. Note that most AD environments will only allow a password to be changed once every 24 hours. Also note that this will not change the password of the local user account on the Mac by default; that can be enabled using a preference key if desired.
- Next, use the “Lock Screen” button to sleep the Mac’s screen. If you have the system configured to require password when waking the screen, you will be prompted to enter it.
- If you have a) Jamf Self Service, b) Munki Managed Software Center, or c) Lan Rev Agent installed on your system, the “Get Software” menu item will be available and will launch the appropriate self service application when clicked. If you don’t have any of those applications, this menu item will not appear; you can specify a different application to be launched from this menu by setting a preference key.
- Next, use the “Get Help” menu item. This will open a web browser to http://www.apple.com/support by default. However, similar to many other menu items in NoMAD, you can set this to an application, a script, another webpage, or even a Bomgar remote support session via the preference keys.
- Next, select the “Preferences” menu item. You will find the most commonly used options here, as well as the only options that are accessible through the UI. The AD Domain will already be set, and the Kerberos Realm will most commonly be set to the uppercase version of the AD Domain. NoMAD will automatically fill this in if you haven’t. The next two text fields are for specifying a Windows Certificate Authority and Certificate template for getting certificates from AD. The “Use Keychain” check box allows NoMAD to store your AD password in your keychain and automatically log you in. The “Renew Ticket” check box determines whether or not NoMAD automatically renews your Kerberos tickets. The text field next to this box allows a user to set how many seconds between renewing the Kerberos ticket. Finally, the “Show Home Folder” has NoMAD show a user’s home folder, as specified in their AD profile, in the menu.
- The “Quit” menu item will quit NoMAD while keeping any Kerberos tickets intact on your system.