Unannounced Password Change Alerts

Unannounced Password Change Alerts, or UPCs for short, occur when a password was changed outside of NoMAD, perhaps on another machine, or through Active Directory Users and Groups by an IT staff member. When using the built-in AD plugin on the Mac with bound user accounts, this can be a situation ripe for annoyance at best, or disaster at worst, as macOS will sync the user account, but not always FileVault, and never the user’s Keychain password.

How NoMAD Deals with UPCs

If the UPCAlert key is set in the NoMAD preferences, NoMAD compares the last known password set date against the password set date in the user’s AD record. This happens every 15 minutes, on every network change, or whenever the user clicks on the NoMAD menu.

If a discrepancy between these dates is found, NoMAD shows a notification in the macOS Notification Center to alert the user that his or her password was changed in AD outside of NoMAD on that machine. By selecting that notification, the user is given the opportunity to sign in to NoMAD again in order to validate their new password. At that point, NoMAD will use the user’s old password in the Keychain to update the Keychain with the new password, as on AD-bound machines, the user password should already have been updated.

Important Considerations

For this to work, the user must be storing their password in the Keychain (the UseKeychain setting in the NoMAD preferences). NoMAD must also be up and running on a computer when the notification is sent. If the user is signed out of his or her Mac when this happens, NoMAD is unable to do anything to fix it. In addition, the Mac needs to be on the AD domain for the alert to be triggered.

The UPCAlert state is a unique situation for NoMAD, because on AD-bound machines the user password will be automatically updated by the act of checking the password, so checking the user password is not enough to determine that the user is in this state.

Other Notes

NoMAD has the option of triggering an action to be done at the time of a UPCAlert. This is set with the UPCAlertAction preference key.