Help

Issues deleting keychain entry Catalina

grant_smith95
New Contributor

Posted on ‎02-19-2020 07:10 AM

Hi all,

I've seen a few keychain deleting threads but unfortunately none have helped thus far. I want to be able to delete the below login keychain with a command.
3ac1455ae0104c229e6a782c0e413a9c

The command i've tried to use is:

sudo /usr/bin/security delete-certificate -c com.apple.network.eap.user.item.wlan.ssid.PLATINUM

We have a setup where we have the following accounts on the Mac's:
Admin account (users don't have access to this)
User account

I'm unsure if this is due to it being a login keychain item, but I was under the impression that the login keychain items are within the users account so you had to delete through that rather than logging on to the admin account to delete.

Apologies if the above is not clear.

Labels:
0 Kudos
4 REPLIES 4

mm2270
Legendary Contributor III

Posted on ‎02-19-2020 08:34 AM

It's a little unclear to me where the problem is coming in for you. Are you trying to use the above command in a Jamf policy and it's failing? Or are you trying to run that command as the local admin user in Terminal? In either case, the command has to be directed to the user's keychain where that item exists, since the security command assumes it should operate on the keychain of the account running the command by default. If you don't specify the logged in user's keychain, or if you don't run the command as them, it will likely fail. Are you doing either of those in this case?

0 Kudos

grant_smith95
New Contributor

Posted on ‎02-20-2020 02:23 AM

I was testing the command as both the user account (myself) and also after sudoing into an admin account, both did not work.

I've looked around and this is apparently the correct command to use which specifies the logged in user:
Grant.Smith$ sudo “$loggedInUser” -c ‘/usr/bin/security delete-certificate -s com.apple.network.eap.user.item.wlan.ssid.PLATINUM’
Password:
Grant.Smith is not in the sudoers file. This incident will be reported.
Grant.Smith$

Then the same result for the admin account:

baf61d9b3ba9407a8ae68dc7ca4c47c7

0 Kudos

mschroder
Valued Contributor

Posted on ‎02-20-2020 02:55 AM

I think you should read a bit more about the sudo command, its usage and its syntax. 'sudo' is not the same as 'su'.

If 'Grant.Smith is not in the sudoers file' Grant.Smith can not use sudo.

If you want to run the command with sudo as another user you have to use the '-u' option, not just add the user.

As far as I know 'sudo' has no option '-c'.

It looks as if $loggedInUser in the example above is not defined.

The behaviour of the command when running this via the MDM (as root) is very different from the behaviour when you run it as a logged in user. When you run as root and you want to delete something from a user keychain you will have to specify that keychain explicitly. That's why it is important to know whether the certificate is in the system keychain or a user keychain.

0 Kudos

bradsschroeder
New Contributor III

Posted on ‎06-04-2020 07:18 AM

I have changed the tag from Jamf Nation to Scripts. If you disagree with this change please let me know.

0 Kudos