Help

Remove login Keychain logout hook

Go to solution
m_higgins
Contributor

Posted on ‎03-10-2016 09:42 AM

Would anyone have any idea on how to script a logout hook to remove the entire login keychain of the user logged in?

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
davidacland
Honored Contributor II

Posted on ‎03-11-2016 03:21 AM

@m.higgins that would be:

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*

exit 0

View solution in original post

0 Kudos
Reply

Go to solution
joshuasee
Contributor III

Posted on ‎03-11-2016 11:43 AM

My version, which backs up the old one in case a need for it arises:

#!/bin/bash
#
# Deletes the user keychain folder.

backup_name="keychain_backup_`/bin/date +"%Y_%m_%d_%H%M"`.gz";
target_user=$3;
folder_path="$(/usr/bin/id -P $target_user | /usr/bin/cut -d: -f9)/Keychains/";
/usr/bin/ditto -ck "$folder_path" "$folder_path../$backup_name";
/bin/rm -rf "$folder_path";
/usr/bin/su $target_user -c "/bin/mkdir -p "$folder_path"";

View solution in original post

Reply
11 REPLIES 11

Go to solution
dpertschi
Valued Contributor

Posted on ‎03-10-2016 10:10 AM 

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/login.keychain

exit 0

Ran as a policy triggered by Logout.

0 Kudos
Reply

Go to solution
Nix4Life
Valued Contributor

Posted on ‎03-10-2016 12:30 PM

You could also try Alan Siu's Offset here
which is an offshoot of Outset

0 Kudos
Reply

Go to solution
m_higgins
Contributor

Posted on ‎03-11-2016 01:45 AM

Thanks @dpertschi but this hasn't rectified my problem.

We have our managed clients bound to Active Directory, as soon as a user changes their AD password it flags up issues with the login keychain. I was hoping removing it on logout would rectify it but it doesn't

0 Kudos
Reply

Go to solution
m_higgins
Contributor

Posted on ‎03-11-2016 01:52 AM

Would there be a way to remove everything in the users keychain folder?

0 Kudos
Reply

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎03-11-2016 02:00 AM

@m.higgins Have you tried ADPassMon?

0 Kudos
Reply

Go to solution
davidacland
Honored Contributor II

Posted on ‎03-11-2016 03:21 AM

@m.higgins that would be:

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*

exit 0
0 Kudos
Reply

Go to solution
apizz
Valued Contributor

Posted on ‎03-11-2016 05:36 AM

what @davidacland said. You need delete more than just the login.keychain from the user's Keychains folder. There's a folder as well which is unique to the user.

We're looking to deploy ADPassMon in the near future to (hopefully) streamline the process a bit because we too use AD.

e1aa2484201740bbb1cda4d6aaace421

0 Kudos
Reply

Go to solution
joshuasee
Contributor III

Posted on ‎03-11-2016 11:43 AM

My version, which backs up the old one in case a need for it arises:

#!/bin/bash
#
# Deletes the user keychain folder.

backup_name="keychain_backup_`/bin/date +"%Y_%m_%d_%H%M"`.gz";
target_user=$3;
folder_path="$(/usr/bin/id -P $target_user | /usr/bin/cut -d: -f9)/Keychains/";
/usr/bin/ditto -ck "$folder_path" "$folder_path../$backup_name";
/bin/rm -rf "$folder_path";
/usr/bin/su $target_user -c "/bin/mkdir -p "$folder_path"";
Reply

Go to solution
m_higgins
Contributor

Posted on ‎03-15-2016 10:41 AM

Excellent responses one and all

Fixed the problem perfectly

0 Kudos
Reply

Go to solution
gbunner
New Contributor III

Posted on ‎12-15-2016 06:30 AM

Hello,

Quick question. To make this work, would I need to create a script out of the code above, then place it in the scripts part of the policy that I've created (after uploading it to the JSS of course)?

Thanks!

0 Kudos
Reply

Go to solution
SGill
Contributor III

Posted on ‎12-15-2016 08:10 AM

It's been a big help for my lab macs...thanks!

0 Kudos
Reply