Keychain and Active Directory users

Once you get ADPassMon working for you, you can hammer into users' heads to "NOT LET THE PASSWORD EXPIRE!" Sometimes a social solution is needed for a technical problem.

That being said, I use ADPassMon with a Launchdaemon and pre-defined preferences for the expiration period etc. to make sure it is there for every user. Even with ADPassMon in place, users still forget... OR they DO change their passwords correctly and for some unknown reason, the keychain still goes kablooey. For those instances, I have a Self Service policy that just deletes the entire /Users/<currentuser>/Library/Keychains/ folder and forces a reboot. It's not an elegant solution but it gets the job done.

+1 with @AVmcclint

@DanJ_LRSFC unfortunately, what you describe is one of the pain points to Macs integrated into AD environments. Especially when passwords are changed outside of the Mac. We use a web site that was written internally to have users change their AD passwords, but because there is no way to script the updating of the Keychain password, we have the same problems.

Our solution is education. We have hammered into our user's heads that the process is to change the password on the web site, and then use Keychain Access to update their keychain password immediately. We tried the "log out of your account" route, but could never reliably get the OS X keychain minder to open and ask the user to update their keychain password.

For those that do not remember to do this, or cannot remember their keychain password, I have a Self Service policy that does as @AVmcclint has done, and deletes the Keychain file and re-creates it. The downside to my solution (not deleting the entire folder contents) is that if the user has signed in to iCloud they could have a Local Items folder that they then get alerted to. I may have to use Clint's method of nuking the entire folder.

Things get a little more complicated when you're dealing with FileVault enabled systems. Usually in those cases, once you can unlock the computer with a valid password (usually via local admin account), the filevault password should sync up after a few minutes.

I nuke the whole Keychains folder because there are separate keychains or certificates that relate to Microsoft Lync and if those aren't deleted, the user still has problems with logging in to Lync. Instead of spending a lot of time trying to single out the numerous individual issues that will be affected, I just blow the whole thing out and gently remind the user that if they don't want to lose their saved (non-AD) passwords, it is important that they heed the NUMEROUS warnings ADPassMon gives them. Before I implemented ADPassMon here, password expirations were probably the #1 Mac issue the helpdesk had to deal with. Now I can say that I've only had to deal with 3 instances of the passwords expiring or getting changed in a different location in the past year... and one of those was someone who was out on maternity leave when her password expired.

You have to educate the users. It really is the best way, but the importance has to be stressed repeatedly until it sinks in. The very first thing I tell new hires (after introducing myself) is the password expiration policy and ADPassMon.

If you want to proactively assist users, you can even make an Extensions Attribute in Casper to read the user's com.pmbuko.ADPassMon.plist preference file to look for the menu_title key and report the value (which is the number of days until expiration). Then you can display that EA in your All Computers view in JSS or create a smart group or whatever you want so you can alert users when you see that their passwords will expire soon. Nudge them until they get the picture that they need to take action before it's too late.

To add security to ADPassmon for your users and specially for those always-remote-users on vpn etc, add Kerbminder as you can choose to integrate it with latest version of ADPassmon

KerbMinder is a tool for Mac OS X that keeps a logged-in user's Kerberos ticket current by attempting to renew or refresh it automatically any time the network state changes

So I guess the two main questions I have now then are:

1. Is there any way to disable or not show the system prompt regarding the keychain?
2. What do I need to do to get ADPassMon working in such a way that it will immediately activate after logon if there's a keychain issue?

We're not using FileVault at the moment so that would not be an issue.

I have seen KerbMinder before (and that it integrates with ADPassMon) but I didn't quite grasp what it was for? If it's for VPNs, that's not a usage scenario that we have at the moment.

I have just recently added ADPassmon to our environment but this is what we have running.

To avoid that expiration is not checked by OS X we edit /Library/Preferences/com.apple.loginwindow.plist
Add this key :
<key>PasswordExpirationDays</key>
<integer>0</integer>

For configuration of ADPassmon i run a script in the policy for ADPassmon that runs after package is done.

#!/bin/bash

    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Your password needs to be at least 8 characters long and cannot be a password you've used previously."
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
    chown $3 /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist

For ADPassmon to be persistent, use this Launch Agent settings.

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>Label</key>
    <string>org.pmbuko.ADPassMon</string>
    <key>LimitLoadToSessionType</key>
    <string>Aqua</string>
    <key>Program</key>
    <string>/Applications/ADPassMon.app/Contents/MacOS/ADPassMon</string>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Has anyone have ADPassMon working with 10.11.5?

Logs show that it launches but then does nothing, version 2.20.19 of ADPassMon, noticed this now on a number of 10.11.5 computers, both Laptops and Desktops.

You need to update ADPassmon to 2.20.20, we had same issue as it shows values that are way off reality. If you have the ADPassmon as persistent then it works with a silent installation but the Mac needs to be restarted for the new version to take effect.
v.2.20.20

I tried ADPassMon installed from Autopkgr - I haven't sent it further then my test base at the moment, ran the package and it sent fine, but they asked for admin credentials to open the app, which was the first annoyance, then I have never been able to get it to update keychain!

Maybe thats because I thought it was automatic so when they reset through ADPass it would update the keychain? Possibly where I've gone wrong! Still need to get it past the admin credentials first!

The one that always gives us a problem is that darned "Local Items" keychain. We have been testing ADPassMon with settings similar to @Jens.Mansson, and it seems to be working.

But, as everyone else has said, education is key.

The Apple Professional Services team has developed a tool called Enterprise Connect.
It can help to prevent Keychain challenges.
It is verbosely discussed in this JAMF Nation post. https://jamfnation.jamfsoftware.com/discussion.html?id=17757

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

@ericbenfer so this is where you advertise a product that should be standard but cost 5500$ ? .....

@itupshot as far as I'm aware ADPassMon won't help with the local items keychain. You should join the #adpassmon Slack channel.

We use ADPassMon as well, but users are stupid. So if all else fails, I have a policy in Self Service that runs a script to delete their keychain files and automatically reboot. Yes, this may delete all their saved passwords, but that's what they get for being stupid enough to not manage their password correctly.

ADPassMon is no longer maintained on GitHub. Is there a .dmg file for it?

Update: This was buried pretty deep but I found a dmg...

https://github.com/macmule/ADPassMon/releases/tag/2.20.19

@Maxalot You may want to look at some newer tools like NoMAD, which is more or less a replacement for ADPassMon, among other things. NoMAD has additional functionality that you may or may not need to use, but I would at least take a look at it rather than using something that isn't being updated anymore. As far as I know, ADPassMon is EOL'd so come new OSes it may stop working. That likely won't happen with NoMAD.

Thanks @mm2270 I would love to use NoMAD but that's not my decision. So I have to use what I can wrangle together on my own. Sometimes when people see things going well and then suddenly an app breaks and they have no choice but to replace the broken app, that's when they make a favorable choice. Sad but true.

We were constantly having issues with our AD bound macs and mobile accounts in our mixed macOS and Windows environment. - Filevault/keychain/user passwords would get out of sync when a user changed their passwords, especially if they changed their network password on their windows machine, if they have one.

We went the Enterprise Connect route and now use local accounts, the switch has been incredibly smooth and we've not seen near as many issues with passwords.

I agree that $5500 is pricey for what the product is, but realistically, you're not paying for the software, you're paying for the 2 day onsite jumpstart for EC. We went with EC because they have enterprise support.

@LovelessinSEA Have you guys had your users passwords expire yet. We use local accounts w/ EC and are about to hit that time. Wondering how this will work. Most users will change on their Macs at work. That seems to go well. Its the users who change via our portal and then try to log in to the Mac before it can connect to our DCs in our Org. Using the old password might confuse them.