- Jamf Nation Community
- Products
- Jamf Pro
- Re: Deleting SSID passwords from Local Item keycha...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Deleting SSID passwords from Local Item keychain
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-05-2022 01:20 PM
Hi folks. I'm trying to remove a password from Keychains for an SSID. We use a limited SSID just for device onboarding and occaisional emergency use. We don't want users selecting, using and saving it or its password past the initial onboarding. Usually they don't but as a precaution so our Deskside Support team doesn't get calls about semi-functional wifi, I'd like a mainenance script to just delete it.
Thanks to @mm2270 and their tips in 257493 and @bentoms for the-local-items-keychain-in-mavericks
If I issue this (less anonymized) command:
security find-generic-password -l my-SSID /Users/user.name/Library/Keychains/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/keychain-2.db
That returns:
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
This is puzzling because if I look in Keychain Access, I see the password saved in the "Local Items" (as well as the "System") keychain. Why can't it be found by the command? I've checked my spelling etc.
The script I've borrowed (from one of you here - thanks) that's trying to check in both Local Items and Login keychains:
#!/bin/bash
## $4 is the name of the SSID and whose password is to be removed.
## Logged in username
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name : / && ! /loginwindow/ {print $3}')
mac_UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}')
if (security find-generic-password -l $4 /Users/$logged_in_user/Library/keychains/login.keychain-db|grep -o $4)
then
security delete-generic-password -l $4 /Users/$logged_in_user/Library/keychains/login.keychain-db
keychain: "/Users/$logged_in_user/Library/Keychains/login.keychain-db"
echo "Removed saved PW for #4 from Login Keychain."
elif (security find-generic-password -l $4 /Users/$logged_in_user/Library/keychains/$mac_UUID/keychain-2.db|grep -o $4)
then
security delete-generic-password -l $4 /Users/$logged_in_user/Library/keychains/$mac_UUID/keychain-2.db
keychain: "/Users/$logged_in_user/Library/Keychains/$mac_UUID/keychain-2.db"
echo "Removed saved PW for $4 from local items Keychain."
fi
Thanks much.
- Scott
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-07-2022 09:41 AM
Have you tried;
-a Match "account" string
That's worked for me in the past eg. security delete-generic-password -a "$4"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 01:42 PM
Bol:
No, sorry, even using the -a switch it can't find the password in the keychain. Thanks for the suggestion.
- Scott
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 05:46 AM
Take a look at the script I posted here https://community.jamf.com/t5/jamf-pro/remove-wireless-network-ssid/m-p/137084 It's designed to delete the remembered SSIDs except for a specific, required SSID, and whatever WiFi you happen to be on at the time the script is run. I have found that when you run this, not only does it delete the SSID, it also seems to forget the passwords. You can play around with it and see if it accomplishes what you need.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 05:57 AM
I use a script similar to that (may have originally been based off of it). In my case it seems to forget the password as well. Although, I have it set to run at login and have noticed, if the device is connected to the SSID that is deleted, it will stay connected until a different SSID is switched to or a log out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 01:53 PM
Thanks @Fluffy, In my testing I found that if I deleted an SSID from the saved list while connected to that SSID, it disconnected me immediately. I wonder what would account for the difference in our experiences?
- Scott
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 01:55 PM
Interesting. For comparison, here is the script I use:
RemoveSSID="your_ssid_here"
## Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')
## Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort "$RemoveSSID" 2>/dev/nullOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-08-2022 01:49 PM
@AVmcclint , Thanks very much for that. I've gone and fetched your script and will try it out. For our purposes, removing all but one SSID may be a bit much. We'd like to remove just one or two and their associated passwords. I'll see if I can figure out how to adapt it. Thanks again.
- Scott
