NOMAD vs AD joined workstations

Can anyone speak to the pros vs cons of using NOMAD vs an AD joined workstation and vice versa. I have been domain joining Macs for two reasons, connect to an SMB share without having to type in credentials again and including an AD workstation admin group to allow me to log on to any Mac workstation with admin privileges to manage it if needed.

No pros or cons here. After being exposed to NOMAD I plan to use it in our environment but continue to join the domain with my Macs. It is on my current project list and plan to install for a user later this week. What I am hoping is to link up their local login with their AD login so they are the same.

I think David mentioned in his Ten Talk that we’re running NoMAD on both domain joined and non-domain joined Macs. Our experience shows that the non-domain joined systems just seem to work more reliably overall and have noticeably faster login times and just less ‘weird stuff.’ Plus we don’t fight with the constant issues Apple seems to create with every new release of macOS (I’m half-convinced they don’t do QA testing against AD-joined systems…)
NoMAD solves the SMB access without retyping passwords problem.

With all that said, you DO lose the admin group for logins. We solve that by creating a unique local admin account on each system we manage. Only our team has the password for that account and it’s never given to end users.

I hope that info helps. If you have any more questions, feel free to reply. I’m sure others are wondering the same thing and we’re happy to share our experiences if it helps others.

Last year there was a lot of talk about spinning up a MacOS server to help manage macs. Is that still needed when using Nomad?

NoMAD has zero interaction with a macOS server. You can use NoMAD whether you use a macOS server or not. It really makes no difference.
There are other things a macOS server can do (caching updates, sharing printers, etc.) but those things are independent of what NoMAD provides. NoMAD is all about making logins/authentication easier for users with AD accounts.

I’m bummed I missed that 10 talk. I’ve been reading up to see what all this NoMAD talk is about and I’m not seeing the benefit, so I must be missing something. We almost never have problems with our domain joined Macs and authentication, and we use Jamf Pro now as well. What would I get for the extra money?

First off: NoMAD is 100% free. So your only ‘cost’ is time to learn/implement it. That’s certainly a big part of the attraction.

If you have no issues with your AD-bound Macs today, then you may not find any real value in NoMAD. For us, we have seen the following benefits:

  • password expiration reminders
  • Nearly complete elimination of keychain issues
  • simple method for changing password (menubar icon)
  • continued bugs from Apple with domain-bound systems (slow login, can’t update password, etc.). Without binding, we eliminate these and any future macOS with AD issues.
  • improved login speeds. AD bound systems tend to just be slower to login. Baffling, but we can reproduce on-demand at several clients
  • Looking at auto-mounting and 1-click-mounting of network shares
  • Simplified WiFi connections for 802.1x user-based authentication

Thanks! I saw the support prices and the Pro version and didn’t know there was a free version. I’ll have to take a look at it. The password piece would be helpful. I was looking at AD Self Service Plus for a while. It has a nice web server that lets you do password changes but I ran into keychain problems then. This might be better.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.