Change Password for Keychain "login" greyed out

jerdill
New Contributor III

Have have been testing the removal of admin rights for some of the users in our environment running on MacOS. One issues that has come up is the ability to change the password for Keychain "login". For a standard user that options is greyed out. If we grant them admin rights again that option returns.

I know they could just use the Users and Groups option in System Prefs to change the password, but some of our users change their password using a windows box and then want to come sync up the mac after the fact. Just doing a logout and log back in using the new password doesn't always prompt the sync.

Is there a plist file or some system file we can change permissions on to allow a standard user to change the login keychain. It seems strange that that would be locked down as its not really a system change.

Also just incase anybody wonders, yes the "lock" icon has been unlocked already, but the menu item still shows as greyed out.

Thanks for any help!

7 REPLIES 7

nomeelnoj
New Contributor III

Why are you removing admin rights? I know this isn't a solution, but just let them have admin and your problem goes away. AFAIK there is no way to do what you are asking.

jerdill
New Contributor III

Our organization is rolling out a few tools for Data Loss Protection. We don't want the users to be able to remove that protection. We also want to limit software installation to approved installs. We do have some controls in place to limit this. But if someone has admin rights there is nothing stopping a knowledgeable user from getting around the controls.

SHC
New Contributor II

I'm having the same issue of "Change password for Keychain login" being greyed out, even with an admin user. I have only one Configuration Profile for "Security & Privacy" for Enabling escrow of the filevault key. Is there somehow I could have inadvertently set this somewhere else?

jerdill
New Contributor III

Found a fix, not as user friendly but works.

The user would have to open a terminal prompt and type in "security set-keychain-password"
It will then prompt for Old PW and then New PW twice.

That seems to do the trick and works without admin rights.

martino
New Contributor

Make a temporary new keychain, right-click it to make it default. Now you can change the password on the old keychain. Make the old one default again. You can now delete the temp keychain.

evan684
New Contributor II

I'm also running into this issue anyone know why this is happening on 10.13?

security set-keychain-password does work fine for me but It's not great for users who need to change their keychain password.

jtrant
Valued Contributor

@stonehill-jamf What version of Jamf Pro are you running? There's a known issue (fixed in 10.5) I believe whereby adding a "Security & Privacy" payload adds an additional "Restrictions" payload even though it's not visible in Jamf. Recommend that you download the profile manually and view the details so you can see if any restrictions are inadvertently causing this behaviour.

There's a great article on this here: https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/

Personally I downloaded the configuration profile from Jamf, stripped the signing, edited the resulting plist, signed it and re-uploaded. Because it was signed, Jamf couldn't make any changes to the profile and only the settings I wanted (escrow of FV2 key) applied.