Help

Query for Keychain Errors

Ricky
Contributor

Posted on ‎04-08-2018 09:24 PM

Hello Everyone,

We administer MacBooks to a few hundred teachers across 12 different sites. As such, we have become accustomed to the Keychain on login error message that occurs when a password has been changed via our SSO. Within the past year we have implemented Enterprise Connect, but still run into the occasional machine having Keychain problems.

Is there a way to query via smart group a list of machines that are having this error? I was thinking either utilizing an Extension Attribute or possibly a script that can return a value that says whether or not the keychain is accessible.

Thank you!

Labels:
0 Kudos
Reply
2 REPLIES 2

dzogrim
New Contributor III

Posted on ‎04-09-2018 05:08 AM

Hi
Be careful, this Keychain behaviour changes with latest macOS High Sierra releases… system will not ask anything anymore as we were used to, and it will create a new one.
And anyway at this time it looks hard to know if a session is in this situation or not.
The only way I know is to get properties of actual login keychain with :

security show-keychain-info ${HOME}/Library/Keychains/login.keychain

if an answer is displayed, the keychain is unlocked and available… if it prompts for the password, it means the keychain
1. have been locked by timeout, or
2. didn't get unlocked at session login.
Don't know if it can help… it is not a very good (silent) way.

0 Kudos
Reply

dzogrim
New Contributor III

Posted on ‎04-09-2018 05:43 AM

You can also try to check if the keychain is accessed (or modified…%m) or not :

#!/bin/sh

myKeychain=${HOME}/Library/Keychains/login.keychain-db
now=$(/bin/date '+%s')
keychainTime=$(/usr/bin/stat -f"%a" "${myKeychain}")

if [ $((now - keychainTime)) -gt 900 ]; then printf " Login Keychain has not been acceded for a long time. Is it not synced with session login credentials? "



 echo "<result>True</result>"
fi
Maybe…

0 Kudos
Reply