Keychain Access: "Synchronize login keychain password with account" pref variation

RobertHammen
Valued Contributor II

b0b90effd00347cd83ee7a112ad2429f

At one particular client, I noticed that a couple of newly-imaged 10.10.x clients had different settings by default. One had the "Synchronize login keychain password with account" option enabled, one didn't.

Today I had time to check at another client that has about 100 seats, all imaged to 10.10.2, some updated to 10.10.3, within the last month. 85-90% of them had this option checked, the remainder had it unchecked, and it is unlikely that a previous user preference was migrated, or that these users even had reason to open Keychain Access.

I was able to view it via (running as the user)

defaults read ~/Library/Preferences/com.apple.keychainaccess.plist SyncLoginPassword

I was able to fix it via (running as the user):

defaults write ~/Library/Preferences/com.apple.keychainaccess.plist SyncLoginPassword -bool YES

Wondering if anyone else can confirm that this login.keychain password synchronization isn't consistent by default across multiple computers in an enterprise.

5 REPLIES 5

Aziz
Valued Contributor

Showing up consistently as checked on my machines. Imaging a machine right now, I'll tell you if it's ticked or not when it finishes.

edit: It showed up as checked.

mm2270
Legendary Contributor III

On my few test 10.10 Macs, the option is enabled, but the entry in the plist doesn't actually exist. Running the defaults read command just generates an error and upon closer inspection, that item isn't there. Yet, its enabled, so on my systems at least, its getting this value by default from somewhere.

RobertHammen
Valued Contributor II

I had some machines without it present in the plist, and some with it turned off (0).

pblake
Contributor III

@RobertHammen - is there any Casper commonality between the affected machines? A piece of software or a policy that ran on them. It really seems like a plist is either being editing or copied in.

deventer
New Contributor

Noticing a quirk in this setting myself this morning I did some digging around and spotted this thread so thought I'd add what I discovered.

I've found that if you use Keychain Access to update the login keychain password then this setting will get disabled automatically.
Additionally, if someone chooses "Continue Log In" when shown the Login Keychain UI during login then enters the correct password on any prompt that asks for the keychain password, this will also disable the setting.

I hope this helps to explain why there may be some discrepancies between clients.