Posted on 04-15-2015 01:24 PM
At one particular client, I noticed that a couple of newly-imaged 10.10.x clients had different settings by default. One had the "Synchronize login keychain password with account" option enabled, one didn't.
Today I had time to check at another client that has about 100 seats, all imaged to 10.10.2, some updated to 10.10.3, within the last month. 85-90% of them had this option checked, the remainder had it unchecked, and it is unlikely that a previous user preference was migrated, or that these users even had reason to open Keychain Access.
I was able to view it via (running as the user)
defaults read ~/Library/Preferences/com.apple.keychainaccess.plist SyncLoginPassword
I was able to fix it via (running as the user):
defaults write ~/Library/Preferences/com.apple.keychainaccess.plist SyncLoginPassword -bool YES
Wondering if anyone else can confirm that this login.keychain password synchronization isn't consistent by default across multiple computers in an enterprise.
Posted on 04-15-2015 01:50 PM
Showing up consistently as checked on my machines. Imaging a machine right now, I'll tell you if it's ticked or not when it finishes.
edit: It showed up as checked.
Posted on 04-15-2015 01:52 PM
On my few test 10.10 Macs, the option is enabled, but the entry in the plist doesn't actually exist. Running the defaults read command just generates an error and upon closer inspection, that item isn't there. Yet, its enabled, so on my systems at least, its getting this value by default from somewhere.
Posted on 04-15-2015 01:58 PM
I had some machines without it present in the plist, and some with it turned off (0).
Posted on 04-15-2015 05:00 PM
@RobertHammen - is there any Casper commonality between the affected machines? A piece of software or a policy that ran on them. It really seems like a plist is either being editing or copied in.
Posted on 12-02-2015 07:57 PM
Noticing a quirk in this setting myself this morning I did some digging around and spotted this thread so thought I'd add what I discovered.
I've found that if you use Keychain Access to update the login keychain password then this setting will get disabled automatically.
Additionally, if someone chooses "Continue Log In" when shown the Login Keychain UI during login then enters the correct password on any prompt that asks for the keychain password, this will also disable the setting.
I hope this helps to explain why there may be some discrepancies between clients.