Managing 'Local Items' and/or 'iCloud' Keychain

Contributor III

Does anyone have any experience managing/modifying the 'Local Items'/'iCloud' keychains via the command line? I currently have a shell script, offered via Self Service, which utilizes 'security' CLI which looks at the login.keychain, finds items that are likely domain credentials and then deletes them. We've found, when run immediately following a password change, this has greatly reduced the incidence of domain accounts becoming locked due to automatic attempts logging into services with old credentials.

I can't seem to figure out any way to do something similar with the 'Local Items' or 'iCloud' keychains, which also stores domain credentials in some of the items. That said, should I even be trying to do this? It appears that it will offer to auto-fill credentials but, unlike many of the login.keychain items, it doesn't seem like the credentials are auto-submited without prompting first so accounts shouldn't be being locked without some sort of prompt. Anyone have any thoughts/experience with this?