Removing all Intune files and keychain items

AVmcclint
Valued Contributor III

We're still struggling to get our Macs to register with Intune. After each failed attempt, in addition to removing the partial computer entries from Intune, we have to delete every single file and keychain entry that has anything at all to do with Intune and the Company portal app. After a lot of searching I came up with this script to remove the files associated with it:

#!/bin/sh

#variable for storing the current users name assuming the computer has the end user
# and not the admin user logged in when this script is run.
currentuser=`stat -f "%Su" /dev/console`

rm -Rfv /Users/$currentuser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info
rm -Rfv /Users/$currentuser/Library/Application Support/com.microsoft.CompanyPortal
rm -Rfv /Users/$currentuser/Library/Application Support/com.jamfsoftware.selfservice.mac
rm -Rfv /Users/$currentuser/Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState
rm -Rfv /Users/$currentuser/Library/Saved Application State/com.microsoft.CompanyPortal.savedState
rm -Rfv /Users/$currentuser/Library/Preferences/com.microsoft.CompanyPortal.plist
rm -Rfv /Users/$currentuser/Library/Preferences/com.jamfsoftware.selfservice.mac.plist
rm -Rfv /Users/$currentuser/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist
rm -Rfv /Users/$currentuser/Library/Cookies/com.microsoft.CompanyPortal.binarycookies
rm -Rfv /Users/$currentuser/Library/Cookes/com.jamf.management.jamfAAD.binarycookies

I am having a helluva time trying to figure out how to automate the removal of the keychain items. There are so many and I can't make heads or tails out of the security command. So far I have found the following in the current user's Login keychain that seem to have anything to do with Intune:

  • Application Password: a long string of random letters and numbers associated with com.microsoft.workplace.thumbprint
  • Application Password: the OS version
  • 2 Application Passwords: that are time stamps of some sort
  • Application Password: the computer name
  • Application Password: the email address used to try and register with Intune
  • Application Password: "com.microsoft.CompanyPortal"
  • Application Password: "com.microsoft.CompanyPortal.Hockey.SDK"
  • Application Password: "enterpriseregistration.windows.net"
  • Public key: "Microsoft Workplace Join Key"
  • Private key: "Microsoft Workplace Join Key"
  • Public Key: "Microsoft Session Transport Key"
  • Private Key: "Microsoft Session Transport Key"
  • Identity preference: "https://enterpriseregistration.windows.net"
  • Identity preference: "https://enterpriseregistration.windows.net/" (yes the same as above with a trailing slash)
  • Identity preference: "https://device.login.microsoftonline.com"
  • Identity preference: "https://device.login.microsoftonline.com/" (yes the same as above with a trailing slash)
  • That's all I can recall finding

I would prefer to use a surgical methodology to only remove the Intune-specific Keychain entries and leave the user's other keychain items untouched. I don't know where to begin. I've spent weeks trying to figure out how to use the security command but I'm getting nowhere. Does anyone else have a way to automate this?

1 ACCEPTED SOLUTION

KyleEricson
Valued Contributor

I created a blog post on how to do this. Read Here

View solution in original post

6 REPLIES 6

KyleEricson
Valued Contributor

I created a blog post on how to do this. Read Here

View solution in original post

I cant access your blog. Can you please that post also here?
jusst curious, am I the only one who cant access the website?

AVmcclint
Valued Contributor III

hmmm interesting. I'll take a look at it.

AVmcclint
Valued Contributor III

@kerickson I just discovered that the script causes Self Service to crash since upgrading to Mojave 10.14.6.

AVmcclint
Valued Contributor III

The only other thing I've done was to upgrade from JamfPro 10.9.0 to 10.13.0, but I suspect Mojave 10.14.6 doesn't like some of the security commands.
In the log, after the part where it deletes the Application Support and Preference files it says this:

Remove keychain password items
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
[message repeats 9 times]
delete-identity: option requires an argument -- Z
Usage: delete-identity [-c name] [-Z hash] [-t] [keychain...]
 -c Specify certificate to delete by its common name
 -Z Specify certificate to delete by its SHA-1 hash value
 -t Also delete user trust settings for this identity certificate
The identity to be deleted must be uniquely specified either by a
string found in its common name, or by its SHA-1 hash.
If no keychains are specified to search, the default search list is used.
 Delete an identity (certificate + private key) from a keychain.

AVmcclint
Valued Contributor III

ya know... there's something else going on here... the log snippet I pasted above was not from the first crash. Sorry about that. I need to dig deeper.