“In the beginning, there was Active Directory,” Joel Rennich said as he started his presentation. Active Directory (AD) is well known by IT professionals worldwide. It became the de facto identity and authentication system of record with the rise of Windows in the 1990s and 2000s. In 2003, the Mac gained the ability to bind to AD with a native plugin in macOS 10.3. This resolved many concerns about bringing Macs into an AD environment. However, as AD and macOS evolved, a number of common issues arose like password resets and networking syncing issues. NoMAD is a solution to these pain points, and it’s available for free.
NoMAD was released last year, and it’s already used on a few hundred thousand Macs. In brief, NoMAD gives Mac users the Single Sign-On experience of Active Directory without requiring a bind to AD. With Single Sign-On, the user experience is much improved for authenticating to websites, file shares, certificate provisioning, Exchange, DFS, printers and more.
NoMAD calls this Casual Binding. Users authenticate first to a local account on the Mac, then authenticate to their network account via NoMAD. NoMAD communicates with DNS, Kerberos and LDAP to gather the domain record, authentication ticket, and user identity and groups. Importantly, there’s no persistent directory service connection. This is ideal for mobile users with Mac devices that may be on or off the network at any moment.
NoMAD is under active development, with frequent updates and bug fixes. Rennich encouraged feedback, bug reports and feature requests via their website or the NoMAD Slack channel. It’s published as an open-source project under the MIT license, with downloads and support plans available at http://nomad.menu.
Rennich also shared NoMAD Pro, which adds authentication to Okta, with Safari, Chrome and Firefox extensions. Support for more identity platforms are coming, with Ping, Google Identity, and Azure AD on the roadmap.