Remove 802.1x Keychain entry - Terminal

Michael_Klos
New Contributor

I'm sure there's a way to do this...is there a way to remove a specific Keychain entry for a 802.1x password in a users account? What is happening is our users passwords expire every 90 days so when they change their password the Mac keeps trying with the old password and locks them out of the wireless system for a while for too many bad password attempts. If I could just create a small script to remove that specific entry and maybe place it in Self Service for users to run I think that would be very helpful to them. 

 

Any thoughts would be great! 

 

If there's anything I can clarify just let me know. 

 

Thank you 

3 REPLIES 3

mm2270
Legendary Contributor III

Yes, it's possible to do this using the security command. But I have to ask, regarding this:

 


If I could just create a small script to remove that specific entry and maybe place it in Self Service for users to run I think that would be very helpful to them. 

If they have lost access to your WiFi connection, it wouldn't be possible for them to run a Jamf Self Service policy most likely, as any policies run from Self Service need a connection back to the Jamf server. So, this is something you might have to think about or consider.

Anyway, the first thing you'd need to do is examine one of those keychain entries to get some details about it. There are a few types of saved password items that can be in Keychain Access, so getting some details about how this one shows up may be important. Things like the "Name" "Kind" and "Account" strings for starters.

The users are typically docked with an ethernet connection or they could even connect to the guest WiFi network to run the Self Service policy. I'd rather the user has their own ability to run this versus us having to do something for them every 90 days. 

This is located in the login section of Keychain under Passwords. The kind is an 802.1x Password as it says in Keychain. The Where is marked as: com.apple.network.eap.user.item.wlan.ssid.v131

jpiperbe
New Contributor

I believe that if you remove the preferred network it should also removed the saved credentials from keychain.  As such, you should be able to have a script that uses networksetup to remove the preferred network and credentials and re-adds the network at the top of their list. 

I'm not somewhere where I can test this right now (no WPA2 Enterprise wireless networks until tomorrow morning) but:

wifiDeviceName=$(networksetup -listallhardwareports | grep -a1 "Wi-Fi" | tail -n 1 | awk '{FS="Device: "}; {print $2};')
networksetup -removepreferredwirelessnetwork $wifiDeviceName <network name>

networksetup -addpreferredwirelessnetwork $wifiDeviceName <network name> 0 WPA2E

 I believe that the user will be prompted for their credentials once it tries to re-connect.  I know the remove network works.  The 0 in the last line puts the preferred network at the top of the list in priority above any guest networks or home networks.