Would anyone have any idea on how to script a logout hook to remove the entire login keychain of the user logged in?
Solved
Remove login Keychain logout hook
+8Best answer by davidacland
@m.higgins that would be:
#!/bin/bash
user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*
exit 0
+19#!/bin/bash
user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/login.keychain
exit 0Ran as a policy triggered by Logout.
+8Thanks @dpertschi but this hasn't rectified my problem.
We have our managed clients bound to Active Directory, as soon as a user changes their AD password it flags up issues with the login keychain. I was hoping removing it on logout would rectify it but it doesn't
+18@m.higgins that would be:
#!/bin/bash
user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*
exit 0
+15what @davidacland said. You need delete more than just the login.keychain from the user's Keychains folder. There's a folder as well which is unique to the user.
We're looking to deploy ADPassMon in the near future to (hopefully) streamline the process a bit because we too use AD.
+17My version, which backs up the old one in case a need for it arises:
#!/bin/bash
#
# Deletes the user keychain folder.
backup_name="keychain_backup_`/bin/date +"%Y_%m_%d_%H%M"`.gz";
target_user=$3;
folder_path="$(/usr/bin/id -P $target_user | /usr/bin/cut -d: -f9)/Keychains/";
/usr/bin/ditto -ck "$folder_path" "$folder_path../$backup_name";
/bin/rm -rf "$folder_path";
/usr/bin/su $target_user -c "/bin/mkdir -p "$folder_path"";
+4Hello,
Quick question. To make this work, would I need to create a script out of the code above, then place it in the scripts part of the policy that I've created (after uploading it to the JSS of course)?
Thanks!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.