Jamf Nation Community

It's also now a default setting in KeyChain Access, Preferences to sync the login password with the keychain, which performs the same task as KeyChain Minder. After a password change, the next time a user logs in, they're promoted to either update their keychain password, create a new keychain or to simply ignore the prompt and login (leaving them with a locked keychain).

Thanks for the responses, but:

@rtrouton: This setting only works if you change the user's password through system preferences. AD-initiated password changes do not synchronize automatically.

@daniel.behan: The difference with keychain minder is that you can customize the message the user sees. Our users are going to get confused if they get prompted with some box about a keychain and a password. They have no idea what this means, and won't know which option to select.

@nextyoyoma,

The Synchronize login keychain password with account setting is a little mislabeled. What it actually turns on and off is the keychain update window you see at the login window. I may not have understood what you meant, but I thought that's what you wanted to turn off.

I realize this is an old thread but we've had lots of problems with the Keychain after a user changes their centralized Active Directory password. Users simply don't follow the on screen instructions then they just ignore the issue which seams to cause more problems with Keychain. Additionally if they did sync their Keychain with the login password it would still be trying to use the old password to login to mail or websites that use their centralized password. They continue their confusion and use the wrong password and end up locking them selves out of everything because of multiple wrong passwords. So I setup a Self Service tool to deal with it. We just instruct the user to use the tool when they run into the issue.

The script archives their Keychain directory and logs them out so on login they create a new Keychain. If there was anything in the Keychain directory they need later it's in the .zip archive. I try to do double checking to be sure we are only dealing withe the currently logged in user. There are likely other considerations or improvements that could be made but this is want's been working for us so far.

#!/bin/bash

# Script name: KeychainArchiveSelfService.sh

# This script will archive and delete a users Keychain directory
# set this up so the users runs it via Self Service, don't use it as an automated script.
# to do this in an automated way you would need to iterate through all user directories

# Self Service setup
# Make this an ongoing tool and don't use any triggers.
# Set the Restart Options to restart immediatly if the user is logged in.
# The script is set to run before any other items.
# Be sure you setup this as a Self Service tool and add a discription to
# warn the user that they should not use this tool without being advised to
# do so by support staff. We try to make it as safe as possible if they do
# run it without our advice. Also warn that this will restart their machine.
# In testing you may find other ways you prefer to use this.


# create a log directory if it doesn't exist so you can keep track of the script actions
[ -d /var/log/ManagmentLogs ] || mkdir /var/log/ManagmentLogs 
keychainfixlog="/var/log/ManagmentLogs/keychainfix.log"

# Get the currently logged in user from casper.
casperCurrentUser=$3

# Use this info to be sure the current user is the logged-in user
# may be a bit over the top and may duplicate what $3 does but I'm doing it anyway
# if the script is not run by the user from SelfService there could be problems
# found at https://macmule.com/2014/11/19/how-to-get-the-currently-logged-in-user-in-a-more-apple-approved-way/
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; 
import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; 
username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# now check that the Casper user and the actual logged-in user are the same
# run the archive and delete if usernames match otherwise exit
# this should also help prevent the script being used in an automated run

if [ "$casperCurrentUser" == "$loggedInUser" ]; then

    # usernames match so lets archive then delete the users Keychain
    # also make notes in a log file
    printf "
$(date +"%Y %b %d %T") - Keychain archive and removal is being run for $casperCurrentUser.
" >> $keychainfixlog
    # echo for Casper policy log
    echo "Keychain archive and removal was started for $casperCurrentUser."

    # check that we actually have a directory to do something to before doing it
    # if the user is logged in there should be a directory, just another safety check
    if [ -d "/Users/${casperCurrentUser}/Library/Keychains" ]; then

        # zip the Keychain directory and date it and put the in users ~/Documents
        zip -r "/Users/${casperCurrentUser}/Documents/Old_Keychain-$(date +%y%m%d_%H%M%S).zip" "/Users/${casperCurrentUser}/Library/Keychains" >> $keychainfixlog
        # add log info for this step
        printf "$(date +%T) Removing /Users/${user}/Library/Keychains folder and contents
"  >> $keychainfixlog
        # now remove the old Keychain directory and log the activity
        # If something is deleted by accident it's in the .zip file
        rm -rf "/Users/${casperCurrentUser}/Library/Keychains" >> $keychainfixlog
        # echo for Casper policy log
        echo "Keychain archive and removal was run for user $casperCurrentUser. Check log $keychainfixlog for details."
        exit 0
    else
        printf "$(date +%T) No Keychains directory found at /Users/${casperCurrentUser}/Library/Keychains
" >> $keychainfixlog
        exit 1
    fi

else
    printf "
$(date +"%Y %b %d %T") casperCurrentUser - $casperCurrentUser - is not the same as loggedInUser - $loggedInUser -" >> $keychainfixlog
    echo "casperCurrentUser - $casperCurrentUser - is not the same as loggedInUser - $loggedInUser -"
    exit 1
fi

exit 0