Issues deleting keychain entry Catalina

grant_smith95
New Contributor

Hi all,

I've seen a few keychain deleting threads but unfortunately none have helped thus far. I want to be able to delete the below login keychain with a command.
3ac1455ae0104c229e6a782c0e413a9c

The command i've tried to use is:

sudo /usr/bin/security delete-certificate -c com.apple.network.eap.user.item.wlan.ssid.PLATINUM

We have a setup where we have the following accounts on the Mac's:
Admin account (users don't have access to this)
User account

I'm unsure if this is due to it being a login keychain item, but I was under the impression that the login keychain items are within the users account so you had to delete through that rather than logging on to the admin account to delete.

Apologies if the above is not clear.

4 REPLIES 4

mm2270
Legendary Contributor II

It's a little unclear to me where the problem is coming in for you. Are you trying to use the above command in a Jamf policy and it's failing? Or are you trying to run that command as the local admin user in Terminal? In either case, the command has to be directed to the user's keychain where that item exists, since the security command assumes it should operate on the keychain of the account running the command by default. If you don't specify the logged in user's keychain, or if you don't run the command as them, it will likely fail. Are you doing either of those in this case?

grant_smith95
New Contributor

I was testing the command as both the user account (myself) and also after sudoing into an admin account, both did not work.

I've looked around and this is apparently the correct command to use which specifies the logged in user:
Grant.Smith$ sudo “$loggedInUser” -c ‘/usr/bin/security delete-certificate -s com.apple.network.eap.user.item.wlan.ssid.PLATINUM’
Password:
Grant.Smith is not in the sudoers file. This incident will be reported.
Grant.Smith$

Then the same result for the admin account:

baf61d9b3ba9407a8ae68dc7ca4c47c7

mschroder
Valued Contributor

I think you should read a bit more about the sudo command, its usage and its syntax. 'sudo' is not the same as 'su'.

If 'Grant.Smith is not in the sudoers file' Grant.Smith can not use sudo.

If you want to run the command with sudo as another user you have to use the '-u' option, not just add the user.

As far as I know 'sudo' has no option '-c'.

It looks as if $loggedInUser in the example above is not defined.

The behaviour of the command when running this via the MDM (as root) is very different from the behaviour when you run it as a logged in user. When you run as root and you want to delete something from a user keychain you will have to specify that keychain explicitly. That's why it is important to know whether the certificate is in the system keychain or a user keychain.

bradsschroeder
Moderator
Moderator

I have changed the tag from Jamf Nation to Scripts. If you disagree with this change please let me know.