Setting Up and Using NoMAD Shares Menu
Today has been a bit long, so I decided to put down into writing how I configured NoMAD to utilize its File Share menu feature because I found their documentation to be distinctly lacking in that space.
First, Some Background
We have been in the process of upgrading our previous SMB file share from a macOS Server running 10.12.5 using Open Directory for access control to a new Windows 2016 server utilizing Active Directory.
Active Directory would allow us to have centralized control for accessing these shares, but with a directory service that was going to continue to be supported for the future. We hadn't been using it before so all accounts are new. I also had no intention of binding our Macs to AD as my prior experiences with that have been... not great.
Since all the accounts were new I would have to either personally sit down with each employee and reset their new AD password or set up NoMAD to facilitate those changes. Because I am lazy efficient, I decided to go with setting up NoMAD so I could turn on the option to change passwords after next login.
I was vaguely aware of the file share capabilities, but I intended to research the share mounting features later since we were on a time crunch.
Our previous method for accessing our file shares on our Macs was a folder dock item that listed out a list of Automator apps that ran an Applescript that would run something similar to the following:
set shareName to "<change-me>"
tell application "Finder"
if (disk shareName exists) then
(*Do Nothing*)
else
try
mount volume "smb://serverIP/" & shareName & quote
on error
(*Do Nothing*)
end try
end if
do shell script "open \"/Volumes/" & shareName & quote
end tell
It was a little hacky, but it worked. I decided to replicate it for this file server to make it a seamless transition that hopefully no one really noticed other than the fact that I used a slightly different icon for the dock item.
I got NoMAD working based off their support docs, plugging in our AD info. I was able to login and change my password successfully without issue.
Then I tried to access a file share.
The first thing that I noticed is that my script didn't use Kerberos ticket supplied by NoMAD. The script also worked maybe 50% of the time. My Mac seemed to be passing the Guest account despite me choosing registered user and entering the correct password. The guest account would be rejected due to security, but my AD account would be accepted. My Mac decided to see the first rejection and decide that it didn't work.
I also found out that due to Transparency Consent and Control in macOS, as I upgraded employees to newer versions of macOS they'd have to grant permission to allow the Applescript to run and that wasn't a good solution going forward. Using NoMAD to handle this would resolve that issue without creating a bunch of future work for myself trying to get our current system to work inside TCC.
After many hours of hard work I finally got it working and I wanted to share my process for others to be able to find when they Google, “How to Set Up NoMAD Shares Menu.”
Guide: How to Set Up NoMAD Shares Menu
After a description fit for a recipe blog, here is the process I went through to set it up. This document assumes that NoMAD is already running in your environment. The NoMAD Kbase is a great resource for this.
First thing that isn't mentioned in the documents is to set the key MenuFileServers in the NoMAD preference file. It is described on the NoMAD Kbase article Preferences and What They Do as “Changes the menu text of the File Servers menu.” But what I found is that it was required to actually get the menu item to appear in NoMAD. Your key will be added to your preference file like so:
<key>MenuFileServers</key>
<string>Company File Share</string>
After that the setup becomes more straight forward. To test this quickly, create the file ~/Library/Preferences/menu.nomad.shares.plist in XML format using either the example provided as the base in a text editor or using ProfileCreator to create a configuration profile to test.
As you make changes make sure to run killAll cfprefsd and then quit and relaunch NoMAD to see those reflected. Incidentally, this is also a great way to test if the LaunchAgent is working.
I used a text editor to create mine.
Here is an example file (NOTE: My environment doesn't utilize the AD home folders so I don't have a mention of that, but based on the documentation, it's pretty similar.):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Shares</key>
<array>
<dict>
<key>AutoMount</key>
<false/>
<key>ConnectedOnly</key>
<true/>
<key>Groups</key>
<array/>
<key>Name</key>
<string>File Share</string>
<key>Options</key>
<array/>
<key>URL</key>
<string>smb://server.domain/fileshare</string>
</dict>
</array>
<key>Version</key>
<string>1</string>
</dict>
</plist>
In our environment it makes more sense for the time being to not auto-mount the drives so I set that to false. One thing to note is these drives do appear for everyone and you must make references to each share that's on your network. My XML file contains roughly 24 different shares.
Groups don't need to be declared unless you plan to use AutoMount. So even if AutoMount is set to true it won't mount unless there is also a list of groups who may AutoMount the drive and the user is in said group. This is also true of the ConnectedOnly key, it's set to true, but requires the groups to be declared to be used. I kept this as true because if we do move to AutoMount in the future, I don't want NoMAD to attempt this if someone isn't connected to the network.
Also note that if you have nested groups in your AD that have access to shares you will also need to add the key RecursiveGroupLookup as true to your NoMAD preferences as well.
For me it looks like this:
<key>RecursiveGroupLookup</key>
<string>1</string>
Depending on the size of your Active Directory, this can require a lot more processing power to use, but because the app runs constantly, it shouldn't generally be noticeable.
But that's really all there is to it! You should have a working file share menu in your NoMAD. I distributed the plist as a configuration profile in Jamf that using Custom Settings, effecting the Preference Domain menu.nomad.shares.
I hope this guide was helpful, if you have feedback you can find me on the MacAdmins Slack as @PaperFixie.