- Jamf Nation Community
- Products
- Jamf Pro
- Script to delete keychain entry
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Script to delete keychain entry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-26-2016 08:48 PM
Our student Macbooks (El Capitan) are not bound to our Active Directory. However, the students need to use their active directory userid and password to print to a networked printer which are setup on our Windows print server. Sometimes a student will enter an incorrect password when initially printing and save it to keychain. The manual process is easy to delete. However, I'd like to create a script policy that I can add to Self Service so the students can use it. The keychain entry is a "network password" for our print server, so it's easy enough to find and delete.
I'm new to the Apple scripting but want to learn more about it.
I would appreciate any assistance in writing the correct script that I can add to a policy in self-service.
Labels:
- Labels:
-
Settings and Security Management
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2016 01:01 AM
Before you start scripting: You better educate students how to use the keychain, since they are local admins, and will probably add many passwords into Keychains.
But the basic bash command to manage the keychain is 'security' and the option you are looking for is 'find-internet-password' or 'delete-internet-password' but the command's output is not easy to understand, nor parse easily. See these blogs I found (some may be outdated, but they look similar to my experience)
Blog one or Blog two
AppleScript support for scripting the keychain is gone since 10.7, but some 3rd party add ons have some options, but the last update is for 10.9.1 so status for these tools on macOS Siera is unkown.
from the man page for the security command:
find-internet-password [-h] [-a account] [-s server] [options...] [-g]
[keychain...]
Find an internet password item.
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-d securityDomain
Match securityDomain string
-D kind Match kind string
-j comment Match comment string
-l label Match label string
-p path Match path string
-P port Match port number
-r protocol Match protocol (four-character code)
-s server Match server string
-t authenticationType
Match authenticationType (four-character code)
-g Display the password for the item found
-w Display the password(only) for the item foundand then 'security delete-internet-password' with the proper options will delete the wrong keys
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2016 08:58 AM
i made a policy that does just what you want. it runs a script that prompts for users username and password and writes it to the keychain. if there is an existing record it will delete and recreate. I added it below. let me know if you have any questions maybe we can work together to get it working in your environment.
#!/bin/sh
#variable to check if serverName keychain already exists
keychain=$(security find-internet-password -r "smb " -D "Network Password" -s "serverFQDN")
#function to get Username and Password of user, must be verified
Get_Data ()
{
USER1=$(osascript -e '
tell application "System Events"
display dialog "Enter your yourSchool Username
(Do not include @yourSchool.edu)" default answer "" buttons {"Cancel","OK"} default button 2
set USER1 to the (text returned of the result)
end tell')
# Check status of osascript
if [ "$?" != "0" ] ; then
echo "User aborted. Exiting..."
exit 1
fi
PASS="Not Set"
while [ "$PASS" != "$PASS2" ]
do
PASS=$(osascript -e '
tell application "System Events"
display dialog "Enter your yourSchool Password" default answer "" hidden answer TRUE buttons {"Cancel","OK"} default button 2
set PASS to the (text returned of the result)
end tell')
# Check status of osascript
if [ "$?" != "0" ] ; then
echo "User aborted. Exiting..."
exit 1
fi
PASS2=$(osascript -e '
tell application "System Events"
display dialog "Verify your yourSchool Password" default answer "" hidden answer TRUE buttons {"Cancel","OK"} default button 2
set PASS2 to the (text returned of the result)
end tell')
# Check status of osascript
if [ "$?" != "0" ] ; then
echo "User aborted. Exiting..."
exit 1
fi
if [ "$PASS" != "$PASS2" ]; then
osascript -e '
tell application "System Events"
display dialog "Password do not match. Please try again" buttons "OK" default button 1
end tell'
fi
done #end while
}
Create_Keychain ()
{
#create keychain using inputted USER and PASS
echo "Creating new keychain record..."
security add-internet-password -s serverFQDN -l serverFQDN -a "riverdale\"$USER1 -w $PASS -D "Network Password" -r "smb " -T "/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent" -T "/System/Library/CoreServices/NetAuthAgent.app" -T "group://NetAuth"
}
#Call Get_Data function
Get_Data
if [ "$keychain" == "" ]; then
Create_Keychain
elif [ "$keychain" != "" ]; then
echo "Deleting keychain..."
security delete-internet-password -r "smb " -D "Network Password" -s "serverFQDN"
Create_Keychain
else
exit 0
fi
# Exit
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2016 01:12 AM
Tried to get this to work, copied the script and saved it as a .sh, stuck it in admin, then a policy in self service, click "fix" and then nothing happens :( Anything for me to look at?
