Jamf Nation Community

Hey Kenny,

Have you tried the "security" command? Seems like it may do the job for you. Something like:

security set-keychain-password -o oldPassword -p newPassword /Users/<username>/Library/Keychains/login.keychain

Haven't done this myself but I believe it should work. Collecting the input via AppleScript (or CocoaDialog) and passing it to bash shouldn't be too tall an order.

Thanks,
Brian

Hey Brian...good to 'see' you.

It's certainly an option if I can't do it this other way.

CocaDialog is nice but I can't make it as "pretty" as Apple does. I like having the logo and layout with all three fields (Old Password, New Password, and Verify) in one screen. Plus it keeps it all directly through Keychain Access and I don't need to pass anything typed by the user from one place to the other.

Cheers!

I believe I figured it out. I'm sure I'll tweak it some and maybe add a little bit of logic to make sure it works but this is what I have in case anyone else wants something similar. You will need to sure you enable GUI Scripting for this to work.

tell application "Keychain Access" to activate
tell application "System Events"
    tell process "Keychain Access"
        select row 1 of outline 1 of scroll area 1 of splitter group 1 of splitter group 1 of window "Keychain Access"

        delay 2

        click menu item "Change Password for Keychain “Login”…" of menu "Edit" of menu bar 1
    end tell
end tell

EDIT: Here is a link that talks about enabling GUI Scripting in Mavericks. It's focused on ADPassMon but it will work for other apps as well. http://work.chrisdietrich.de/enabling-accessibility-for-adpassmon-in-mavericks/

@krichterjr][/url - glad you got that figured out, but, just curious. Why not script this to open System Preferences > Users & Groups and click the "Change Password…" button there? I assume users would be more familiar with and therefore more comfortable with System Preferences over something like Keychain Access. And you can get the same "Old Password" "New Password" and "Verify" fields as in Keychain Access. No need to mess with selecting the right keychain item.

tell application "System Preferences"
    activate
    set the current pane to pane id "com.apple.preferences.users"
    reveal anchor "passwordPref" of pane id "com.apple.preferences.users"
    tell application "System Events"
        tell process "System Preferences"
            click button "Change Password…" of tab group 1 of window 1
        end tell
    end tell
end tell

@mm2270
I built that same script as well thinking that would be the best experience for our users. However, our 'supported' way is for user's to change their password was through a separate identity management system that propagates to all of our systems and back down to the computer. So this will be an easy way for them to 'fix' their Keychain. I agree though, System Preferences would be a prefered method.

Putting this here for any ADPassMon users who need to add it to the Accessibility pref pane.

#!/bin/bash

# Created by Jason Bush 3/6/2014
#
# Enabling Accessibility for ADPassMon in Mavericks
#
# http://work.chrisdietrich.de/enabling-accessibility-for-adpassmon-in-mavericks/

os=$(sw_vers -productVersion | awk -F. '{print $2}')

    echo $os

if [[ ${os} -ge 9 ]]; then

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "delete from access where client='org.pmbuko.ADPassMon';"

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','org.pmbuko.ADPassMon',0,1,1,NULL);"

    else

echo "You are not running Mavericks"

fi

@jhbush1973 ...could you describe this process for Script Editor (adding it to the accessibility pane)? Everything I am googling shows me GUI-only 😞

@rseys can you expand what you're looking to do?

Hey @bentoms ! In my particular case, I am looking to enable "Script Editor (AppleScript)" to the assistive devices in Yosemite. Or in other words, I want to enable the checkbox next to Script Editor in SysPrefs > Security & Privacy > "privacy" tab ...

Using your logic that was created for ADPassMon, the syntax (and variations) I've attempted is this:

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','/Applications/Utilities/Script Editor',1,1,1,NULL)"

But that doesn't seem to do the trick...I feel like I am just overlooking something obvious

@rseys I believe when adding items into the Accessibility settings like that, you need to use the app's Bundle Identifier, not the application path. So doing the following on AppleScript Editor.app

defaults read /Applications/Utilities/AppleScript Editor.app/Contents/Info.plist CFBundleIdentifier

I get:
com.apple.ScriptEditor2

Try replacing:
`'/Applications/Utilities/Script Editor' in your script line above with:
'com.apple.ScriptEditor2'
and see if it works then.

@rseys Have you seen my ADPassMon fork?

It can be used without enabling access to accessibility.

@bentoms

I have read about it yes and it looks like a phonemail tool! Unfortunately, my task here is to exhaust built-in options (without 3rd party solutions) before proceeding down that road. If I can't get AppleScripting to do what I want it to do, rest assured that ADPassMon is next on my list!

@mm2270

I'm giving that a shot right now! Thank you sir (and you also answered how you found it...it's helpful. Thanks)

EDIT: @mm2270 works perfectly -- thanks for not only the help but the rhyme/reason behind it!

Anyone else getting an error message that this script is unable to access /Library/Application Support/com.apple.TCC/TCC.db on 10.10? Worked flawlessly until now. 😐