Okta Device Trust script error accessing default keychain

beeboo
Contributor

Using a newly drafted Okta Device Trust script, this is the issue that some users are running into

ERROR: Error in accessing default keychain

Originally it was an issue with python and python3, but that has been resolved, however, even after running the following command for the, the user still sees the okta keychain in Keychains, though its grey with all actions also greyed out but the user can see the okta-db file when running security list-keychains
"sudo security delete-keychain "/Users/$user/Library/Keychains/okta.keychain-db".

I ran the above during an ssh session but even after closing and reopening the Keychains app it still shows up, which is troubling.

Tried confirming deleting the file and from the SSH session at least it shows its gone sudo security delete-keychain /Users/$user/Library/Keychains/okta.keychain-db security: SecKeychainDelete: The specified keychain could not be found.

running "sudo ls /Users/$user/Library/Keychains" shows that okta-db is now missing

Even when trying to run the list-keychains using the launchctl format it only shows system.keychain
sudo launchctl asuser 501 sudo -u $user security list-keychains "/Library/Keychains/System.keychain"

any suggestion?

Thanks in advance!

2 REPLIES 2

jfriedman
New Contributor

From what I've seen, and what Okta has posted, it has to do with Python 3 not being installed.

The instructions Okta has here (https://support.okta.com/help/s/article/macOS-Device-Trust-Python-3-Support?language=en_US) aren't working in my case as the script recognizes xcode command line tools being present and skipping the install but xcrun isn't and that's needed for Step 2.

Trying to figure out now how to deploy xcrun instead of having users accept Terminal pop-ups for the license agreement.

beeboo
Contributor

@jfriedmannetjets i think theres a catch 22 with the xcrun, at least for CLT. when i ran it locally on my machine it asked me to install CLT before i can run that command, which seems a little backwards. I understand it to be the xcrun command to be used to accept the licenses if it wasnt accepted during initial install or a switch was/needs to be done between xcode and xcode CLT.