Preferences and What They Do
This article contains a list of defaults keys and values.
Note: The defaults can be accessed via the defaults command using the “com.trusourcelabs.NoMAD” domain. The resulting preference file can be found at ~/Library/Preferences/com.trusourcelabs.NoMAD.plist
Setting the Keys
The simplest way to set the keys is to use the defaults command, which will set the AD Domain to “nomad.test”, for example:
defaults write com.trusourcelabs.NoMAD ADDomain nomad.test
Boolean values can be set in one of two ways:
defaults write com.trusourcelabs.NoMAD HidePrefs 1defaults write com.trusourcelabs.NoMAD HidePrefs -bool true
Both methods will result in the same setting. When reviewing the prefs that have been set using defaults read, you’ll see true values as 1 and false values as 0.
Also, for keys that take a file path value, make sure that you’re escaping the paths with a \ as shown in the example below:
defaults write com.trusourcelabs.NoMAD ChangePasswordCommand -string "/usr/local/bin/my\ great\ script.sh"
All preferences should be manageable via profiles, MDM, etc.
Sample Configuration File
A sample unsigned .mobileconfig file containing preference keys can be downloaded here.
A Note About Arrays in the File
Some attributes will be an array of values. You can see the structure of this with the defaults command:
defaults write com.trusourcelabs.NoMAD LocalPasswordDontSyncLocalUsers -array bob sally pat
Keys That Can Be Managed
| Key | Value Type | Sample Value | Function | NoMAD Version |
|---|---|---|---|---|
| ADDomain | String | jodapro.com | Defines the AD domain you’re working with | 1.0 |
| AutoConfigure | String | TSL | Keyword to determine what auto configuration scheme to use | 1.0 |
| AutoRenewCert | Integer | 30 | Sets the number of days to go on a cert before automatically renewing it | 1.1.1 |
| CaribouTime | Bool | true | Changes the icon set to Carrie the Caribou | 1.0.2 |
| ChangePasswordCommand | String | “/usr/bin/local/scripts/something.bash” | Script or other binary to run when a password is sucessfully changed. | 1.0.3 |
| ChangePasswordOptions | String | “/Applications/Google Chrome.app” | Task, URL or App path for ChangePasswordType (<<serial>>, <<fullname>>, <<shortname>> and <<domain>> are currently supported as substitutions) | 1.0 |
| ChangePasswordType | String | None | Determines type of ChangePassword function (Kerberos, Task, URL, App, and None are currently supported) | 1.0 |
| CleanCerts | Bool | true | Determines if NoMAD should remove extra certs from user’s Keychain. This will leave the 2 newest and the 2 oldest certs in the keychian. | 1.1.4 |
| ConfigureChrome | Bool | true | Tells NoMAD to update your Chrome settings to allow for Kerberos auth with your AD domain. | 1.0.3 |
| ConfigureChromeDomain | String | nomad.test | Tells NoMAD to update your Chrome settings to allow for Kerberos auth with for the set domain. This allows for Chrome to work with domains other than your AD Domain. Note that the domain will be automatically wildcarded, so setting a domain of “nomad.test” will result in *nomad.test being set. Multiple domains are supported, seperate them by “,” | 1.0.5 |
| CustomLDAPAttributes | Array | [ “pwdLastSet”, “yourAttributeHere”] | List of custom attributes to query in AD on each user record lookup. Attributes will be written back to the UserAttributes key. | 1.1.4 |
| DontMatchKerbPrefs | Bool | true | Determines if the kasspwd server is written out to the com.apple.Kerberos preference domain. | 1.0.3 |
| DontShowWelcome | Bool | true | Determines if the Welcome window is shown on first launch. | 1.1.0 |
| DontShowWelcomeDefaultOn | Bool | true | Shows the Welcome Screen, but checks the “Don’t show again” box by default. Useful for when you want to show the Welcome screen only once. | 1.1.3 |
| Bool | false | If true, NoMAD will attempt to download the entire site list and iterate it locally. Possibly saving time, but also possibly causing problems. Removed | ||
| ExportableKey | Bool | false | determines if the private key from any generate certs can be exported | 1.0 |
| GetCertificateAutomatically | Bool | true | Determines if a certificate is automatically requested for a user when they don’t have a valid existing certificate. | 1.0.3 |
| GetHelpOptions | String | “/Applications/Google Chrome.app” | URL or Path for GetHelpType (<<serial>>, <<fullname>>, <<shortname>> and <<domain>> are currently supported as substitutions) | 1.0 |
| GetHelpType | String | URL | Determines type of GetHelp function (Bomgar, URL and App are currently supported) | 1.0 |
| HicFix | Bool | true | Enables a secondary password change with AD to fix an issue with macOS 10.13.0 with AD-bound mobile accounts. | 1.1.0 |
| HideAbout | Bool | true | Removes the About menu from NoMAD. | 1.1.4 |
| HideExpiration | Bool | true | Hides the password countdown display in the menu bar. | 1.0.4 |
| HideExpirationMessage | String | You’re the best!’ | Specifies text to show in the menu bar when the password countdown has been suppressed. | 1.0.4 |
| HideGetSoftware | Bool | true | Determines if the Get Software menu is visible. | 1.0.5 |
| HideHelp | Bool | true | Determines if the Get Help menu is visible. | 1.0.3 |
| HideLockScreen | Bool | true | Determines if the Lock Screen menu is visible. | 1.0.4 |
| HidePrefs | Bool | true | Prevents the Preferences menu from being accessible | 1.0.2 |
| HideRenew | Bool | true | Determines if the Renew Tickets menu is visible. | 1.0.3 |
| HideSignOut | Bool | true | Determines if the Sign Out menu is visible. | 1.0.5 |
| HideQuit | Bool | true | Determines if the Quit menu is visible. | 1.0.3 |
| HomeAppendDomain | Bool | true | Adds your AD domain to the end of the user’s hold folder. Used for when the home in AD is not fully qualified. | 1.1.4 |
| IconOff | String | /usr/local/icons/NoMADOff.png | Specifies an icon file to use for when NoMAD is not connected. Note: this needs to be a 16×16 image to display correctly. | 1.0.3 |
| IconOffDark | String | /usr/local/icons/NoMADOffDark.png | Specifies an icon file to use for when NoMAD is not connected in dark mode.Note: this needs to be a 16×16 image to display correctly. | 1.0.3 |
| IconOn | String | /usr/local/icons/NoMADOn.png | Specifies an icon file to use for when NoMAD is connected. Note: this needs to be a 16×16 image to display correctly. | 1.0.3 |
| IconOnDark | String | /usr/local/icons/NoMADOnDark.png | Specifies an icon file to use for when NoMAD is connected in dark mode. Note: this needs to be a 16×16 image to display correctly. | 1.0.3 |
| String | in-or-out.jodapro.com | FQDN of a site inside your internal network Removed | ||
| String | 10.0.37.23 | IP address of the InternalSite Removed | ||
| KerberosRealm | String | JODAPRO.COM | Defines your Kerberos realm | 1.0 |
| KeychainItems | Dictionary | {Exchange:<>} | A Dictionary or Keychain Items matching an item name to an account name. On password change, NoMAD will update these items with the user’s new password. | 1.1.0 |
| KeychainItemsDebug | Boolean | true | Enbables KeychainItems debugging. Will attempt to update passwords on any sign in through the NoMAD UI and log verbosely as to what’s not working. | 1.1.0 |
| LDAPAnonymous | Bool | true | Determines if NoMAD uses anonymous LDAP binding when getting the user record. | 1.1.0 |
| LDAPServerList | String | 2k12.jodapro.com, ausaddc2.jodapro.com | List of LDAP servers for NoMAD to use instead of doing SRV lookups | 1.0 |
| LDAPOnly | Bool | true | Sets NoMAD to treat the remote server as just an LDAP server and not specifically AD. | 1.0.5 |
| LDAPOverSSL | Bool | true | Determines if NoMAD uses LDAP over SSL. | 1.0.3 |
| LDAPType | String | OD | An indication of what specific LDAP type is in use. Currently only “OD” for Apple’s Open Directory is available. | 1.1.0 |
| LightsOutIKnowWhatImDoing | Bool | true | Removes the icon from the menu bar. Note that NoMAD still is in the menu bar, just with no icon and taking up less space. | 1.1.4 |
| LocalPasswordSync | Bool | true | Determines if we keep the local password in sync with the network password or not | 1.0 |
| LocalPasswordSyncDontSyncLocalUsers | Array of Strings | [“bob”, “sam”, “pat”] | An array of user names that if they match the current local user, NoMAD won’t synchronize the password regardless of what user logs into AD. | 1.0.5 |
| LocalPasswordSyncDontSyncNetworkUsers | Array of Strings | [“bob”, “sam”, “pat”] | An array of user names that if they match the AD user signing in, NoMAD won’t synchronize the password regardless of what user logs into AD. | 1.0.5 |
| LocalPasswordSyncOnMatchOnly | Bool | true | Determines if the domain password will be synced to the local account only when the account names match. | 1.0.4 |
| LoginItem | Bool | false | Determines whether or not to add NoMAD to the user’s start up items | 1.0 |
| MenuAbout | String | “This Application” | Determines the name of the About menu item. | 1.1.4 |
| MenuChangePassword | String | Update Account | Changes the menu text of the Change Password menu item. | 1.0.5 |
| MenuGetCertificate | String | Update Account | Changes the menu text of the Get Certificate menu item. | 1.0.5 |
| MenuHomeDirectory | String | Network Home | Changes the menu text of the Home Directory menu item. | 1.0.3 |
| MenuGetHelp | String | Support | Changes the menu text of the Get Help menu item. | 1.0.3 |
| MenuGetSoftware | String | Software | Changes the menu text of the Software menu item. | 1.0.3 |
| MenuFileServers | String | “Files” | Changes the menu text of the File Servers menu. | 1.1.3 |
| MenuPasswordExpires | String | Welcome! | Changes the menu text of the password expiration menu item before a user logs in. | 1.0.3 |
| MenuRenewTickets | String | Renew | Changes the menu text of the Renew Tickets menu item. | 1.0.3 |
| MenuUserName | String | Changes the menu text of the user name menu item before a user logs in. | 1.0.3 | |
| MenuWelcome | String | /usr/local/welcome/ | Path to a folder enclosing an index.html file and associated resources for displaying as a Welcome screen when running NoMAD. | 1.1.0 |
| MessageLocalSync | String | Please provide your local password. | Message text for when a user is asked for their local password to sync their network password to their local account. | 1.0.3 |
| MessageNotConnected | String | No dice! | The text in the menu bar to display when NoMAD is not connected to the AD domain. | 1.0.3 |
| MessagePasswordChangePolicy | String | Your password is required to have 128 characters. | Message text to display in the password change dialog to help the user understand how complext they need to be. | 1.0.3 |
| MessageUPCAlert | String | Your password was changed elsewhere. | Message to be shown in an UPCAlert notification | 1.1.1 |
| MountSharesWithFinder | Bool | false | When file shares are set to automount, this mounts them via the Finder instead of via the API. | 1.1.4 |
| PasswordExpireAlertTime | Int | 3600 | The threshold, in seconds, for when to start notifying the user about their expiring password – set to 0 to never be bothered, and defaults to 15 days or 1,296,000 seconds | 1.0 |
| PasswordExpireCustomAlert | String | Account expiring soon | Custom alert to show in the menu bar instead of days to go. | 1.0.5 |
| PasswordExpireCustomWarnTime | Integer | 20 | Will cause the custom alert to be only shown at a specific threshold, and in yellow. | 1.0.5 |
| PasswordExpireCustomAlertTime | Integer | 5 | Will cause the custom alert to be only shown at a specific threshold, and in red. | 1.0.5 |
| PasswordPolicy | Dictionary | { minLength = 6; minLowerCase = 2; minNumber = 2; minSymbol = 1; minUpperCase = 2; minMatches = 3; }; |
Will show visual indicators to the user when changing his or her password that it does not meet policy. Note: the values need to be set as Strings in your dictionary. | 1.0.4 |
| PersistExpiration | Bool | false | Setting this to true will display the password expiration countdown even when the user is not logged into the domain. | 1.0.4 |
| RecursiveGroupLookup | Bool | true | Allows for recursive group lookups in AD to find all nested groups a user may be a member of. | 1.1.0 |
| RenewTickets | Bool | false | Setting to determine if auto ticket renewal is used | 1.0 |
| SecondsToRenew | Int | 3600 | Setting for how often to renew tickets | 1.0 |
| SelfServicePath | String | “/Applications/IT Software.app” | Sets a path for an application to be used with the Get Software menu item | 1.0 |
| ShowHome | Bool | false | Determines whether the AD home share is shown in the menu | 1.0 |
| SignInCommand | String | “/usr/bin/touch /tmp/login” | Script or command to be run when NoMAD completes a successful sign in to AD | 1.0 |
| SignInWindowAlert | Bool | true | Makes the NoMAD Sign In window the foremost window when a user is not signed in. | 1.1.0 |
| SignInWindowAlertTime | Int | 360 | Seconds between the SignInWindowAlert making the Sign In window the foremost window. | 1.1.0 |
| SignInWindowOnLaunch | Bool | false | This will force the Sign In window to display when NoMAD launches. | 1.0.4 |
| SignInWindowOnLaunchExclusions | Array | [ituser, ituser2, otheruser] | An array of strings for local users that will not be shown the Sign In window automatically. | 1.1.0 |
| SignOutCommand | String | /usr/local/bin/signout.sh | Path to a script or other binary to execute on sign out. | 1.0.5 |
| StateChangeAction | String | “/Library/Application Support/scripts/notify-and-update.sh” | path to a script that will be launched on network changes | 1.0 |
| Template | String | User Auth | The certificate template that you’d like to request when using the Windows CA | 1.0 |
| TitleSignIn | String | Password please | Changes the title of the sign in window. | 1.0.2 |
| UPCAlert | Bool | true | Determines if NoMAD will alert the user to Unannounced Password Changes, typically when the password was changed in AD and not from the user’s system. | 1.0.2 |
| UPCAlertAction | String | /usr/local/bin/upca.sh | Path to a script or other binary to execute when a UPC Alert occurs. | 1.0.5 |
| UseKeychain | Bool | true | Determines whether to store the Kerberos password in the user’s keychain | 1.0 |
| UseKeychainPrompt | Bool | true | Will cause NoMAD to force a sign in to NoMAD to caputre the password in the Keychain. | 1.1.1 |
| UserSwitch | Bool | false | Ensures that the local user name is the active ticket being used by NoMAD. | 1.1.4 |
| Verbose | Bool | false | Enables verbose logging | 1.0 |
| WifiNetworks | Array of Strings | CorpNet | SSIDs of wireless networks you would like to associate any certificates created with NoMAD to via an identity preference in the Keychain. | 1.1.0 |
| X509CA | String | x509.jodapro.com | FQDN of the Windows web Certificate Authority you would like to use | 1.0 |
Keys That Should Not Be Managed
This is a list of keys that are available, but should not be managed in any way. These are set by NoMAD while running and may be useful for scripts and other uses to obtain information. Changing any of these via configuration profiles or other means may have unintended consequences.
| Key | Value Type | Sample Value | Function | NoMAD Version |
|---|---|---|---|---|
| ADDomainController | String | dc1.nomad.test | The current domain controller being used by NoMAD. | 1.1.4 |
| ADSite | String | WorldHQ | The current AD site that NoMAD is using. | 1.1.3 |
| DisplayName | String | Joel Rennich | The long name of the user currently signed in to the domain. | 1.0 |
| FirstRunDone | Bool | true | Set when NoMAD first launches. Used to determine if NoMAD has been run or not yet. | 1.1.3 |
| LastCertificateExpiration | Date | 2018-03-15 06:25:28 +0000 | The date of expiration for the certificate matching the current AD user. If multiple certificates are found, this will reference the certificate with the most distant expiration date. | 1.0.3 |
| LastPasswordWarning | Date | 2018-03-15 06:25:28 +0000 | The date of when the last password warning alert was given. | 1.0.3 |
| LastPasswordExpireDate | Date | 2018-05-15 06:25:28 +0000 | The date of when the current user’s password expires. | 1.0.3 |
| LastUser | String | jrennich | Shortname of the last user to sign in to NoMAD. | 1.0.3 |
| SignedIn | Bool | true | True if NoMAD is currently signed into the domain. Use this to check if the current user has Kerberos tickets. | 1.0.4 |
| UserAging | Bool | true | Determines if the currently signed in user has an expiring password. | 1.0.1 |
| UserAttributes | Dictionary | [ “yourAttribute” : “something”] | The results of the CustomLDAPAttributes lookups. | 1.1.4 |
| UserEmail | String | joel@nomad.menu | The currently signed in user’s e-mail attribute from AD. | 1.1.0 |
| UserHome | String | //dc2.eng.nomad.test/ENG-Homes/d%20eng | Homedirectory path of the current user. | 1.0.3 |
| UserPasswordSetDates | Array | UserPasswordSetDates = { “jrennich@ENG.NOMAD.TEST” = “2017-01-26 04:21:36 +0000”; “jrennich@NOMAD.TEST” = “2017-03-31 03:59:22 +0000”; }; |
Array of users and the date their password was set. Used by NoMAD to keep track of UPCs. | 1.0.3 |
| UserPrincipal | String | jrennich@ENG.NOMAD.TEST | User principal for the current user. | 1.0.3 |
| UserUPN | String | aeng@nomad.test | The UPN of the currently signed in user. | 1.1.0 |