Jamf Nation Community

JimAllsop · ‎11-10-2013

What if you actually want to use the iCoud Key-chain in your AD environment? Let me give you the cliff notes on our set up. (Keep in mind I inherited this system I am the new help desk manager) - 500 plus Mac users. (we enable root and admin account, then add users. They are ALL local admins. Yeah I know bad idea.) - Bound to AD.
- First.Last and AD password is required to log into their mac. -Password set to NEVER expire. (yeah I know bad)
- 120 iPads and growing. -Windows Servers. (we still have a bunch of PC's)
- Staff Wi-Fi is accessed by the users AD credentials.
-If someone has to have their Mac repaired or serviced they simply write their user name and password down and hand it to my staff! (Yeah I know even MORE of a bad idea.) With that said I have my orders.... NO CHANGES to the Password system unless I can make it easy and SIMPLE!

Here is what I would like to have happen. 1. If the user goes to System Preffs and changes their user password I want it to change the keychain password, as well as their staff wifi, as well as their outlook for mac, or mail app. 2. I also want it to do this on their IOS devices.

I have been trying several different variations of settings described https://jamfnation.jamfsoftware.com/discussion.html?id=7783
and I am not having any luck. I still get asked for the original keychain password.

Apple says http://support.apple.com/kb/ht1631 that it should. But clearly I am missing something or what I am asking is just not possible. Either way I have only been in this position for a few weeks and this is something I want to change last week if not sooner!

Thanks in advance for your help!

mm2270 · ‎11-11-2013

We're in an AD shop as well. When I change my password in System Preferences > Users & Groups or in Security & Privacy, it will update ,my login keychain (as well as my FileVault 2 information so I can unlock my system at boot time) because my login.keychain is unlocked (I'm logged in) It does not, and will not ever auto update items like Outlook or Mail.app settings for the password or other applications that might have stored account information. This is expected behavior. I don't think there's an easy way to get other saved passwords to update to the login keychain, since they are usually stored within an app, or in some keychain entry within the login.keychain.

If you're being prompted for your old password when following those steps, it sounds like your login.keychain isn't really unlocked, or isn't staying unlocked. There's a setting in Keychain Access while in your login.keychain, under the Edit menu called "Change settings for keychain login" Look at the "Lock after 'X' minutes of activity" to see if that's checked. It may be locking on you and not prompting to unlock it when you change your password.

View solution in original post

bentoms · ‎11-10-2013

Is it the "login" keychains password your being asked for or another keychain?

JimAllsop · ‎11-11-2013

It ask for several, the login being 1 of them.

alexjdale · ‎11-11-2013

In our AD bind scenario, changing the password in System Prefs (while that user is logged in of course) updates the Login keychain all the time. I wouldn't expect any other keychains to change because they are not synced to the AD password, but I haven't tested that.

That said, someone needs to really stand up for security and enact change, even if it is a little inconvenient for some people. That is not really your job as help desk manager, but whoever is your IT director or whatnot.

JimAllsop · ‎11-11-2013

@alexjdale there are quite a few login items for us that are bound to AD. Like staff wi-fi, help desk system, staff websites, and more. I agree this is a huge issue regarding security, we are working on it. :)

bentoms · ‎11-11-2013

@JimAllsop, we're an AD shop with passwords expiring every 30 days. We use Keychain Minder http://derflounder.wordpress.com/2012/07/06/keychain-minder/ post login to prompt the user to unlock their login keychain & it works fine.

This should unlock the login Keychain by updating it with the new password.

Can you verify that the Login Keychain is definitely locked & not the Login-items one?

JimAllsop · ‎11-11-2013

@bentoms yes i have done it both ways. Let me ensure I have communicated properly.

If the Login Keychain is locked, when the user changes their AD password in system prefs it will NOT update the login keychain password? Am I understanding this correctly?

mm2270 · ‎11-11-2013

We're in an AD shop as well. When I change my password in System Preferences > Users & Groups or in Security & Privacy, it will update ,my login keychain (as well as my FileVault 2 information so I can unlock my system at boot time) because my login.keychain is unlocked (I'm logged in) It does not, and will not ever auto update items like Outlook or Mail.app settings for the password or other applications that might have stored account information. This is expected behavior. I don't think there's an easy way to get other saved passwords to update to the login keychain, since they are usually stored within an app, or in some keychain entry within the login.keychain.

If you're being prompted for your old password when following those steps, it sounds like your login.keychain isn't really unlocked, or isn't staying unlocked. There's a setting in Keychain Access while in your login.keychain, under the Edit menu called "Change settings for keychain login" Look at the "Lock after 'X' minutes of activity" to see if that's checked. It may be locking on you and not prompting to unlock it when you change your password.

Jamf Nation Community

AD Login P-Word & iCloud Keychain