Posted on 05-08-2019 11:27 PM
Hi everyone,
I was told Apple finally fixed AD password syncing issues on macOS 10.14.4 several days ago, which I thought is great. (https://support.apple.com/en-us/HT209149#macos10144)
However I confirmed a new issue while using 10.14.4: If I change my AD password out of Mac, and use new password to login, normally it will require me to input old password to update keychain. This time, it did notice me about it, but no step to input the old password even I choose "Update Keychain Password", then it create a new keychain for me. As my company need cert to connect wifi, this is pretty annoying.
If anyone have same situation, you can try recovery your keychain by finding it in ~/Library/Keychains/XXXXXXX
Everything worked perfectly if I change password in mac, which IT department not recommend.
Appreciate a lot if anyone can offer Apple's explanation (links or mail reply) about it. A solution will even better.
Posted on 05-08-2019 11:49 PM
Interesting, as I have tested almost every single 10.14.4 password situation except for this one. I don't think I ever actually clicked "Update" to see if it worked.
I will test this out tomorrow.
You can take a look at all my testing on the active directory and local accounts fixes in 10.14.4
https://mrmacintosh.com/category/local-accounts/
https://mrmacintosh.com/category/ad-mobile-accounts/
Posted on 05-08-2019 11:58 PM
Apple has confirmed that this is a known issue / bug / defect of 10.14.4. I'd suggest to raise an Enterprise ticket with Apple and add your +1 to this defect. So far I have no bug ID, but you can add your case to ours: 20000049607662
Posted on 05-09-2019 09:54 PM
Thanks for posting this, I have investigated and have also confirmed the issue. I wrote about it and posted a workaround for restoring the old login keychain.
https://mrmacintosh.com/10-14-4-update-breaks-update-keychain-password/
I also included an open radar.
Posted on 05-10-2019 11:20 AM
@hawkzhang45 & @m.entholzner & @ClassicII
What I have never understood about this whole process, is the need to have an end user enter their old Active Directory created keychain password to change to their new Active Directory created keychain password, and not lose any of their keychain data. As someone that works in a place in a Helpdesk capacity. I must assist users in changing their forgotten passwords. The need for an end user to know and enter their old password, defeats the purpose of helping an end user change to a new password, if they cannot remember their old password. Which was the reason that they called the Helpdesk for help in the first place.
Posted on 05-15-2019 12:50 PM
lol, I had met the same problem , hoping somebody help!!!
Posted on 05-15-2019 01:56 PM
Posted on 05-15-2019 10:39 PM
@ClassicII , Apple told me that they don't disclose internal bug IDs... but as this is a known issue, you should be able to just set your +1 on this issue. But they also confirmed that this is not fixed in 10.14.5 - let's hope for 10.14.6...
Posted on 05-16-2019 01:53 AM
Working on it
Posted on 05-17-2019 08:34 AM
Not seeing any movement on the bug report so I filed an Enterprise Support Ticket this morning.
Posted on 05-17-2019 08:36 AM
Just saw your post now, awesome work on the script! Let me test it out and if it works.
Posted on 05-20-2019 05:27 PM
We also opened an Enterprise Support Ticket today to request Apple to include the fix to macOS 10.14.6 beta.
Posted on 07-03-2019 06:58 PM
Heads up,
This fix is not looking good making it into 10.14.
The latest word is it's fixed in 10.15 beta 2.
If this is important to your organization you better talk with Apple now.
Posted on 07-07-2019 02:25 PM
Thanks for your heads-up @ClassicII .
We also contacted Apple Enterprise Support to request to bring this fix to macOS 10.14.6.
Posted on 07-08-2019 01:23 PM
I've also opened an Enterprise support case regarding this issue with hopes they'll resolve it in 10.14.6.
Posted on 07-08-2019 03:04 PM
I can confirm that the keychain password is updated properly in the latest 10.15 beta. Waiting for a response from Apple about making the fix available to 10.14.6.
Posted on 07-08-2019 11:22 PM
same for us... we've also requested this to be fixed in 10.14.6 too.
Posted on 07-24-2019 05:32 AM
Has anyone had a chance to test 10.14.6 yet? Did Apple fix it? We have a ticket open with Apple support but they have yet to answer the question on 10.14.6...
Posted on 07-25-2019 06:37 AM
there was no fix included in the latest beta - maybe this changed in the release version, but I fear this is still not fixed :(
Posted on 07-25-2019 07:31 AM
I am always amazed how long it takes Apple to fix something. This makes the enterprise support quite a bad deal :(
Posted on 09-05-2019 11:54 AM
Hi All,
Has there been any more movement on this topic?
We have been testing the latest Jamf Connect Verify KeychainItems key with the latest 10.15 beta but don't seem to be getting any luck with updating specified keychain items.
Posted on 09-05-2019 05:47 PM
We've have an enterprise support ticket open on this issue even since it was discovered. It's been fixed in the Catalina betas, but we've been told that it won't be backported to Mojave. Unfortunate.
Luckily, @ClassicII's instructions for restoring the original Keychain work like a charm. It's too bad that that it's just a little labor intensive.
Posted on 06-04-2020 11:37 AM
Super frustrated by this - which would seem to be a fairly straightforward fix, esp. on managed devices. Apple's now releasing security updates for Mojave that REMOVE FEATURES (e.g. the --ignore option) and ADDS FEATURES (ability to understand MDM profile "Major Update" deferral) and is large enough to practically be a complete OS installation, but it does not bother to implement what likely is a trivial bug fix, thereby offloading on macOS support teams an extensive effort. I shouldn't have to update my users to Catalina - which is its own bag of hurt for many kinds of user-facing prompts for permissions and access that cannot be managed - to resolve this bug. Apple ought to patch it in Security Update 2020-004 for macOS Mojave.
Open tickets with Apple Enterprise support. Make your voices heard.
Posted on 07-17-2020 02:20 AM
And not even fixed in 2020-004 :(