Query for Keychain Errors


Hello Everyone,

We administer MacBooks to a few hundred teachers across 12 different sites. As such, we have become accustomed to the Keychain on login error message that occurs when a password has been changed via our SSO. Within the past year we have implemented Enterprise Connect, but still run into the occasional machine having Keychain problems.

Is there a way to query via smart group a list of machines that are having this error? I was thinking either utilizing an Extension Attribute or possibly a script that can return a value that says whether or not the keychain is accessible.

Thank you!


New Contributor III

Be careful, this Keychain behaviour changes with latest macOS High Sierra releases… system will not ask anything anymore as we were used to, and it will create a new one.
And anyway at this time it looks hard to know if a session is in this situation or not.
The only way I know is to get properties of actual login keychain with :

security show-keychain-info ${HOME}/Library/Keychains/login.keychain

if an answer is displayed, the keychain is unlocked and available… if it prompts for the password, it means the keychain
1. have been locked by timeout, or
2. didn't get unlocked at session login.
Don't know if it can help… it is not a very good (silent) way.

New Contributor III

You can also try to check if the keychain is accessed (or modified…%m) or not :


now=$(/bin/date '+%s')
keychainTime=$(/usr/bin/stat -f"%a" "${myKeychain}")

if [ $((now - keychainTime)) -gt 900 ]; then printf " Login Keychain has not been acceded for a long time. Is it not synced with session login credentials? "

 echo "<result>True</result>"