NoMAD 1.1 Keychain Update options

Note: this has been updated as of NoMAD 1.1 build 734 beta to reflect the new dictionary of items.

What are Keychain Updates?

New in the NoMAD 1.1 Beta is the ability to update keychain items when a user changes their password.

Currently this is listed as a dictionary of keychain item names and account pattern pairs. NoMAD will look for these items in your keychain that have an account name that matches a search pattern. It will then update the item with the new password.

We expect there to be a lot of special casing here, so please investigate what items you’d like to change and if you need additional features.


Currently NoMAD can handle 6 different variables that you can use to create the account pattern match. These are domain, fullname, serial, shortname, upn, and email. You can build search patterns from all of these and mix with static characters. The variables are set off by << >>. For example the pattern <<shortname>> would expand to the AD shortname of the user followed by

If an attribute is unavailable for a user it will default to blank. So <<email>> for a user with no e-mail address defined in AD will expand to “”. This may not be ideal, so please let us know if this doesn’t fit your needs.

How to make it work

First you’ll need to add an array of keychain item names

defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'test1' '"<<upn>>"'

Note the single then double quotes to properly escape the <<>> characters in that command.

Now change your password in NoMAD v. 1.1(732) or later.


New in 1.1(732) and later is the keychainItemsDebug flag that will provide more verbose output to the logs and attempt to update passwords everytime you sign in through the sign in window. This should make it much easier to determine what will be updated. Plus additional logging will be done of what items will be changed.

Keychain item example

In the keychain item below, the “Name” is what you add to the array in the NoMAD defaults. The “Account” field will need to match the substitution pattern for that item.


We know that this current methodology won’t always line up with what you may need, as such we’d love to hear from you as to how to make this better. In particular it’s quite possible that your user’s UPN doesn’t match up with the accounts in the Keychain Item. Please let us know on GitLab or the #nomad Slack channel.

NoMAD 1.0.5

We’re excited to announce the release of NoMAD 1.0.5.

NoMAD 1.0.5 is primarily a maintenance release, however, we’ve fixed a few bugs, made things run a bit faster and have introduced a few new pref keys.

The bigger new features in 1.0.5 are the ability to have an LDAP-only environment where no AD is present and more granular controls on which users will have their password synced locally.

We are also localized in Spanish now as well, thanks to @lctrkid

Bug Fixes

– Not really a NoMAD bug, but NoMAD now cleans up klist output on macOS 10.10 that erroniously adds blank spaces for 0 in the issued timestamp.

– NoMAD is now happy to use network-only accounts from AD. Previously NoMAD would only work with mobile accounts.

– NoMAD pre-flights any password changes against the local system now before changing in AD. This ensures that any local password policies won’t prevent the password change from working.

– Significant changes to the password complexity warnings when changing passwords. The pref file will be much less finicky about having all of the complexity types in it. Also a popover will be shown and the user experience generally much better. Thanks to @ludeth for the help here.

– Get Software menu item will now prefer a custom path instead of any self service applications that are found. Previously NoMAD would always go to any of the installed Self Service apps and ignore the custom path.

Pref Keys

ConfigureChromeDomain – String – This will allow NoMAD to configure a domain in Chrome for Kerberos authentication beyond just the AD domain. Set this to your top-level domain that has to do with Kerberos and NoMAD will use that and wildcard any subdomains.

HideGetSoftware – Bool – This will determine if NoMAD shows the Get Software menu or not.

HideSignOut – Bool – This will determine if NoMAD hides the Sign Out menu or not.

LDAPOnly – Bool – Sets NoMAD to just use LDAP instead of treating the remote server as AD. Essentially this just tells NoMAD to not lookup the password expiration information and get the groups in a slightly different way.

LocalPasswordSyncDontSyncLocalUsers – [String] – An array of user names that if they match the current local user, NoMAD won’t synchronize the password regardless of what user logs into AD.

LocalPasswordSyncDontSyncNetworkUsers – [String] – An array of user names that if they match the AD user signing into NoMAD, that NoMAD will not synchronize the password.

MenuChangePassword – String – Allows you to override the standard Menu Item text for Change Password.

MenuGetCertificate – String – Allows you to override the standard Menu Item text for Get Certificate.

PasswordExpirationDays – Integer – Allows you to override whatever AD tells you is the standard password reset interval.

PasswordExpireCustomAlert – String – Custom alert to show in the menu bar instead of days to go.

PasswordExpireCustomWarnTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in yellow.

PasswordExpireCustomAlertTime – Integer – Will cause the custom alert to be only shown at a specific threshold, and in red.

SignOutCommand – String – Path to a script or other binary that you want to execute when a user signs out of NoMAD.

UPCAlertAction – String – Path to a script or binary that you want to execute whenever a UPCAlert is triggered. Pull Request credit to Ryan Jenkins.


NoMAD 1.0.5 package installer and zip file are now available in Downloads.

NoMAD 1.1 Shares Preferences

With NoMAD version 1.1 just a short ways around the corner, we wanted to start sharing the Shares preference file… see what we did there!?!

Note: As a beta this file format is still subject to change… but we wanted to give you an idea of what was coming.

What is this?

With 1.1 NoMAD will be able to arbitrarily mount shares specified in a preference file. Since the shares are rather different than the rest of the NoMAD preferences, we’ve put them into a new plist to make things easier.

Where does it go?

Currently this preference is at menu.nomad.shares, but as with all things beta, this may change.

How do you make it?

There are 3 top-level objects in the file.

1. Version – this is the version number of the file format. Currently the only version is 1

2. HomeMount – This is a Dictionary of attributes for if the user’s home profile should be mounted.

Groups – [String] – Only mount the home for members of these AD groups
Mount – Bool – Mount automatically or not
Options – [String] – Array of mount options defined below

3. Shares – [Dictionary] – An array of dictionaries with each dictionary defining a mount point and associated attributes. Below is what goes into each Dictionary
AutoMount – Bool – Is the share automatically mounted
ConnectedOnly – Bool – Is the share only mounted when on the AD domain
Groups – [String] – An array of AD group names. This share will only automount for members of that group
LocalMount – String – A local mount point
Name – String – The name of the share as it will appear in the NoMAD menu item
Option – [String] – Array of mount options defined below
URL – String – The actual URL of the mount point in the form of “smb://dc1.nomad.test/Homes”


First off huge thanks to @frogor for having figured these out. Note that most of these are probably not very useful or safe. Please use at your own risk. The primary ones that most admins will care about are MNT_RDONLY, MNT_DONTBROWSE and MNT_NOEXEC.

"MNT_RDONLY" - Mounts the share read only
"MNT_SYNCHRONOUS" - All I/O to the file system should be done synchronously.
"MNT_NOEXEC" - Prohibts execution of code from the share
"MNT_NOSUID" - Do not allow set-user-identifier or set-group-identifier bits to take effect.
"MNT_NODEV" - Do not interpret character or block special devices on the file system.
"MNT_UNION" - Causes the namespace to appear as the union of directories of the mounted filesystem with corre-
sponding directories in the underlying filesystem.
"MNT_ASYNC" - All I/O to the file system should be done asynchronously.
"MNT_EXPORTED" - Filesystem is exported
"MNT_QUARANTINE" - File system is quarantined
"MNT_LOCAL" - File system is stored locally
"MNT_QUOTA" - Quotas are enabled
"MNT_ROOTFS" - Identifies the root filesystem
"MNT_DOVOLFS" - Filesystem supports volfs (deprecated flag in Mac OS X 10.5)
"MNT_DONTBROWSE" - Does not display the share in the Finder
"MNT_IGNORE_OWNERSHIP" - Ignore ownership information on file system objects
"MNT_AUTOMOUNTED" - Set flags on the mountpoint to indicate that the volume has been mounted by the automounter.
"MNT_JOURNALED" - Mount filesystem journaled
"MNT_NOUSERXATTR" - User extended attributes not allowed
"MNT_DEFWRITE" - Filesystem should defer writes
"MNT_MULTILABEL" - Support for individual labels
"MNT_NOATIME" - Do not update the file access time when reading from a file.

Preference file itself

{ HomeMount = {
Groups = ( "Domain Users" );
Mount = false;
Options = ( );
Shares = (
{ AutoMount = false;
ConnectedOnly = true;
Groups = ( "Share Mounter Test" );
LocalMount = "";
Name = "File Server 2";
Options = ( );
URL = "smb://dc2.eng.nomad.test/Files";
{ AutoMount = true;
ConnectedOnly = true;
Groups = ( );
LocalMount = "";
Name = "Home Shares";
Options = ( );
URL = "smb://dc1.nomad.test/Homes";
Version = "1";

LDAP Only Support

Starting with NoMAD 1.0.5(640)BETA NoMAD can now support environments that don’t have Active Directory. If you have a Kerberos environment that has been integrated with an LDAP server, NoMAD can give you the same functionality that you would get if AD was in the mix. Since there’s a variety of different LDAP setups, please test this in your environment and let us know if it’s missing anything.

Getting it working

NoMAD is designed to automatically configure as much as possible and relies on a number of AD-focused methods to do that. In the situation where you don’t have an AD environment you may not have all of these services in place. Don’t worry! As you can manually configure everything that you may need.

Starting Off

To get NoMAD to start doing LDAP-only queries you can set the LDAPOnly preference key to true.

SRV Records

NoMAD by default attempts to find both LDAP and Kerberos services via SRV records in your DNS. You most likely have these for your Kerberos KDCs, but you may not have the records for your LDAP servers. To get around this you can just designate your LDAP servers manually with the LDAPServerList preference key to a comma separated list of your LDAP servers.


Many LDAP environments are configured to use LDAP over SSL. NoMAD fully supports this, but you’ll need to set the LDAPOverSSL preference key to true.

Test It!

NoMAD will allow for password changes, scripts and other actions, sign in and sign out and local password synchronization. The only major feature that you won’t have will be the password expiration countdown. This is mostly because there’s no real standard way to do this in an LDAP-only environment. However, if you’re interested in this please let us know and how you’ve implemented it, as this is something we’d be happy to put more work into.


NoMAD 1.0.4

We’re excited to announce the release of NoMAD 1.0.4 today.

This release picks up a few bugs from 1.0.3, adds another localization, gives more options on how to display the password expiration countdown, and then implements a fairly comprehensive new set of password policies. You can find the complete list of issues here.

A few highlights:

  1. Password countdown – If you don’t want to see it, you can hide the password expiration countdown regardless of if the user’s password is set to expire in AD. You can do this via defaults write com.trusourcelabs.NoMAD HideExpiration 1. On the other hand… if you want to see the countdown more often, you can set that as well so that NoMAD will keep the countdown in the menu bar even if the user is not logged into AD. You can set this by defaults write com.trusourcelabs.NoMAD PersistExpiration 1.
  2. UI changes – You can now close all windows with cmd-W, we’d not even realized we weren’t doing that. Now it’s fixed. Also there’s a spinner that shows up when you’re logging in or changing your password. This give the user some better feedback that something’s going on under the covers.
  3. Spaces in names – You may not have realized, but NoMAD supports users with a space in their short name. I didn’t realize that AD even allowed that, but it does… Now NoMAD supports spaces in the home share as well.
  4. Prompting users to sign in – NoMAD can now put up a Sign In window after launch as soon as the domain is reachable and a user isn’t already signed in. You can use this for prompting your users to sign in after logging into their Mac. Enable this with defaults write com.trusourcelabs.NoMAD SignInWindowOnLaunch 1.
  5. Ignoring password sync – It’s possible to want NoMAD to sync the AD password down onto the local user, but not want that all the time. Now you have two ways of doing this. First you can use the alternative Sign In, by holding down control-option when clicking the NoMAD menu. When signing in this way, no synchronization will be done. You can then sign out, and the original Kerberos credential will be intact. Secondly you can tell NoMAD to only sync passwords when the AD name matches the local user name. Enable this with defaults write com.trusourcelabs.NoMAD LocalPasswordSyncOnMatchOnly 1.
  6. Password policies – This is probably the biggest new feature of 1.0.4. You can now tell NoMAD what your AD password policy is and NoMAD will ensure that’s met before allowing the user to change their password. You can set this policy by defaults write com.trusourcelabs.NoMAD PasswordPolicy -dict minLength 6 minUpperCase 2 minLowerCase 2 minNumber 2 minSymbol 1 and then the user will get red and green dots next to the passwords in the Change Password window.Screen Shot 2017-04-16 at 9.17.24 PMMousing over the colors will then tell the user exactly what part of the policy the password is not meeting. The Change Password button will only be enabled when the password meets the policy. In addition NoMAD will now ensure the new password can actually be set locally, if you have password syncing enabled, and alert the user that the password isn’t compliant.

We’ve also updated the list of preference keys for all of the new 1.0.4 versions.

Keep the feature requests coming, and we’ll keep making NoMAD better!

Finding forced preferences

Most NoMAD users are pushing preferences via configuration profiles. This is a great thing, but does make troubleshooting a bit tougher as the defaults command won’t show what keys are forced.

So… have a look at pref-finder.

Launch the tool and specify a preference domain you want to look at. You’ll be able to see all of the keys for that domain, check just a single key, check if a key is forced, or what most people will use it for, show all forced keys for a particular domain.

pref-finder -d com.trusourcelabs.NoMAD -k LastUser -f -F -a

It has a project page, and can be downloaded here.

Apple Events

NoMAD 1.0.3 responds to a number of Apple Events that you can send it from the CLI and other methods.

Current Actions

  • nomad://open – launches the application
  • nomad://signin – opens the sign in dialog if the system is on the domain and a user is not already signed in
  • nomad://user:pass@signin – causes NoMAD to get a Kerberos ticket for that user and password. If the Keychain is set to be used, this password will be stored in the keychain.
  • nomad://update – makes NoMAD update immediately
  • nomad://passwordchange – will show the change password window

If you have 1.0.3 or later installed, clicking on any of the above links will cause NoMAD to react. You can also use this from scripts via the “open” command.

open nomad://signin

In a shell script will cause NoMAD to launch, if it isn’t already and then show the sign in window if AD is reachable. This is a pretty handy thing to use at the end of your enrollment workflow to get the user’s password starting to sync.


NoMAD 1.0.3 is out!

Lots of customization and some bug fixes.

New Features

— Most every menu item is customizable as to the label and able to be hidden from the user. Check out the preference keys for how to do that.

— Automatic retrieval of x509 certificates if a user doesn’t already have one.

— Localized into French, German and Danish with other languages to come shortly. Many thanks to everyone that helped with this.

— NoMAD now responds to custom urls, so nomad://update will cause NoMAD to update itself. nomad://signin will display the sign in window. More info here.

— Trigger a script on successful password changes.

— The Change Password window now allows you to specify a password complexity policy so the users can be reminded of why their password may not work.

— Option-clicking the menu will now show the current version and build of NoMAD in the menu.

— LDAP over SSL support.

You will find a full list of all the preference keys, including all of the new ones for 1.0.3 here.

Bugs Fixed

— Better handling of bound machines. Previously NoMAD would overwrite your prefs each time it launched.

— If you’re on a .local AD domain we now handle DNS lookups better that were causing the NoMAD menu to be unresponsive.

A full list of tickets address in NoMAD can be found here.

Get 1.0.3 at our downloads page.