Login.Keychain in 10.9.x

@Johnny.Kim, I've a write up on that at the following link. You should be able to use the information to amend your script.

http://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/

Bentoms,
Thanks for the write up, I'll take a look at it!

-John

We generally tell people to drag everything in ~/Library/Keychains to the trash and then restart, that fixes it. They can't delete the files because they are locked, and the OS will track that they were moved if they simply logout and log back in so the issue remains.

Apple really dropped the ball on this when they changed the keychain system for iCloud keychain sync. It's like they completely ignored use cases with network accounts where passwords are changed outside of the system. Even if the user remembers their previous password, they keep getting prompts.

On top of all that, RSA SecurID stores soft tokens on the login keychain, so we have to reissue those often after repairs.

Do your folks not leverage the keychain at all? We have certificates and preferences stored there, and losing them every 60 days with a password change would not be acceptable.

All of our certificates are stored on the System keychain, I do everything at the system level when it comes to Profiles and whatnot. Anything a user stores on their Login keychain is their business (website passwords, for example), and I always tell them if they need anything from their old keychain, it's still in the trash after they reboot. Nobody ever seems to care, RSA tokens are the only exception.

I moved everything to the System keychain for the reasons you mentioned, losing the Login keychain caused terrible support issues. You basically can't rely on the Login keychain anymore these days and need to make it expendable.

The local items keychain contains keychain items that can be synced via iCloud. So website logins etc.

Most of the time they are also present in the login.keychain, so it's safe to delete the local items keychain as I linked.

This issue is why I forked ADPassMon, as 10.9 is a pain with this new keychain.

Update: I am trying to keep things simple for end user. So far, this seen to work for my environment.

End user runs a policy on self service, which triggers a script to delete the entire keychain folder, prompts them to restart using cocoadialog and problem solved.

Is there a way to script this to delete the folder for all users and not just the currently logged in user? Would love to run this on a few labs that we upgraded to 10.9. Least amount of end user actions required.

Really I'd love to script this so it trashes the ~/Library/Keychains folder then auto selects create new keychain (instead of update keychain) for each user.

@Jonny.Kim Whats the version of the script your using?

Gabe Shackney
Princeton Public Schools

@gshackney I modified a script I believe I found here.

CD="/your/cocoadialog/location/CocoaDialog.app/Contents/MacOS/CocoaDialog"
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

rm -f -r "/users/$loggedInUser/Library/Keychains"

if [ "$loggedInUser" != 'root' ]; then # Check if at the login window, if it is, the following code is skipped
#### CocoaDialog message box asking for the user to select restart
rv=`$CD msgbox --title "Restart Please" 
--text "To complete the Keychain Fix, a restart is required." 
--informative-text "It is important that you select Restart, but you may select Later to restart at a more convenient time." 
--no-newline --button1 "Restart" --button2 "Later" --float`
#### If the user selects restart, an apple script runs to run the Apple restart command. Gives the user a minute to cancel restart.
if [ "$rv" == "1" ]; then
echo "User selected Restart"
osascript -e 'tell application "loginwindow" to «event aevtrrst»'
elif [ "$rv" == "2" ]; then
echo "User selected Later"
exit
fi
else
echo "No User logged in. CocoaDialog not necessary"
fi