- Jamf Nation Community
- Products
- Jamf Pro
- Re: Keychain Password Management
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Keychain Password Management
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 12:12 AM
Hello,
I work for a company that uses Active Directory. The Macs are managed
through JAMF. Network passwords for all users are forced to be changed by
AD on a regular basis. Every time this happens, the passwords for keychain
entries must be manually re-entered. Is there any way to use JAMF to manage
this so that once a network password is reset it also updates the keychains
using the same password?
Regards,
JL
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 12:21 AM
how are the users changing the password? if you change it through the system preferences dialog in accounts, it will manage it for you. if however you have to change the password through some webpage, then you get to have the users manage it themselves AFAIK.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 12:25 AM
This is what we see too. Most of our users use outlook web access to change password. We tell them to click "new keychain" when logging in and no real issues with that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 12:25 AM
We use Keychain Minder (http://bit.ly/pN5bOU) as a login item for our users.
On Wed, Jul 20, 2011 at 2:12 PM, wintermute <wintermute at akapost.com> wrote:
It works,for the most part, and then we educated the users on how to change
their Keychain password if necessary.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 12:31 AM
If you change at the login window the users will be asked to update their keychain password. But I think the wording is confusing.
As such, I still deploy AFP548's Keychain Minder & run it at login.
Gives the users another prompt & one that's better worded.
Regards,
Ben.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 02:53 PM
Thanks so much to everyone that replied. It's impressive how quick and kind
you all are.
I don't think I provided enough detail in my initial message. Let me give
an example of one of the problems I'm running into. When the password in AD
gets reset, so does the email password. For Entourage users, this means
they get prompted again for a keychain password as the keychain in login
still contains the old password. I'd like to synchronize keychain items
like the one for Entourage with the network password without the user having
do re-enter anything.
--missing content--
doing it through JAMF.
If anyone has anything else to add it is much appreciated.
Regards,
JL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 04:28 PM
for that, use Kerberos instead of a saved password in keychain. if your AD environment is working properly, clients should get tickets. configure entourage/outlook to use Kerberos, and it should work. "should."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 05:26 PM
sent that from the grocery store…
apart from using kerberos, you're looking at manual changes to keychain entries.
if you know the users' previous and current passwords, you can programmatically change them with the /usr/bin/security command. it's not likely you have those details, though.
aside from scripting this type of change yourself, jamf/casper offers nothing special to deal with the issue.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2011 05:33 PM
One of the projects I'm working on is intended to handle all of these situations, without requiring a working Kerberos setup. It will take me a long time though. Here are a couple screenshots I made:
I'm operating on the principle that Single Sign-On can be successfully set up with relative ease if the application doing the setup has access to the user's current password. At the moment, I'm just researching this, and trying to get Python access to the Keychain (grrrrrr....). I'll let you know when I have something workable, but keep in mind you will need to customize it almost completely for your environment.
Still not sure whether I want to keep the Skip button in there or not...
--missing content--
oing it through JAMF.
If anyone has anything else to add it is much appreciated.
Regards,
JL
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-21-2011 06:22 AM
Thank you very much, Nate. This information is helpful and appreciated.
Thanks again to everyone that replied.
Regards,
JL
