System Keychain Wiped

j_tanudjaja
New Contributor III

Hi everyone,

Some of our students are having this issues where their system keychain is empty, hence they cannot access the internet due to missing SSL inspection certificate.

The cert is pushed through config profiles, the profiles is still installed, but the cert is not found on the keychain. The only way to fix this is to run QuickAdd Package to re-enrol the machine, running the "sudo jamf removeMdmProfile", then "sudo jamf mdm" didn't help at all.

The students are running 10.12.6 with no admin rights, does anyone have any idea how they managed to wipe their system keychain? None of them seem to know what they did.

Thanks

14 REPLIES 14

bentoms
Honored Contributor III
Honored Contributor III

@j.tanudjaja Check what items you're pushing.. Maybe the system.keychain has appeared in a Composer snapshot?

Eyoung
Contributor

Going to put a +1 here. Same issue, random machines get their system level certs just cleared out. an unenroll and quick-add resolves the issue.

10.12.5-6 machines all bound using mobile accounts. 700-ish machines under proxy and it happening randomly in that group only.
the proxy is set via a configuration profile. We are using lightspeed for the proxy

I've opened a ticket with Apple and Lightspeed with no resolution.

Has anyone seen any log activity that might shed light on this? I (and the apple tech I was working with) could not find a thing to point to a root cause. It seems so random...

StoneMagnet
Contributor III

Adding another +1. Have seen several student MacBook Airs, all running 10.12.6 with Mobile Accounts, with a cleared out System keychain. Looking at the most recent victim there is nothing showing in the Jamf Pro History Logs that looks unusual. Everything that had run immediately prior to the machine dropping off the network due to the deleted wireless certs had been run several times times in the days/weeks before.

mm2270
Legendary Contributor II

Oddly enough, I just encountered a system a few days ago with a completely cleared out System keychain. Also a 10.12 system. It's literally the first time I've ever seen this in all my years of working with Macs. A real head scratcher. I had to clear out a Config Profile from the system that had deployed one of our SSL Decryption certs in order to push it again, as well as manually install several other certs. Strangest thing I've ever seen, and I have no clue how it happened. :(
Given a few others here have seen it, I suspect some kind of update maybe that was installed on the Mac, but I didn't think about looking at the softwareupdate history at the time. I will have to circle back on this machine to see if I can track that down.

Anyone else have ideas on this? I thought at the time it was just a fluke, but now I'm not so sure....

j_tanudjaja
New Contributor III

Still unsure on why this happened, but at least I managed to fix this without re-enrolling or manually push/install certs. Referring to the latest on here

go to

/Library/Keychains/

and remove System.Keychain. I then renamed System.keychain.2017-XX-XX.XX/XX/XX to System.Keychain

go to

/var/db/

and remove SystemKey. I then renamed SystemKey.2017-XX-XX.XX/XX/XX to SystemKey

Restart the machine and the System keychain will be restored as it used to be.

StoneMagnet
Contributor III

I am not seeing any old System keychains in /Library/Keychains/. Just the System.keychain itself. Looking at the latest machine to exhibit the problem, it appears that whatever happened purged both the apsd.keychain and System.keychain files as both of them are showing the same created and modified times. That time corresponds to the student manually re-connecting to their home WiFi network. They report that they'd shut the MacBook Air down the evening of the 25th, and when they turned it on the morning of the 26th it did not automatically connect to WiFi.

keeneisd-ct
New Contributor

Same issue here; nothing to suggest what's causing it. It's not always the entire keychain, either. Sometimes only some items are deleted from the system keychain.

msanchez
New Contributor III

+1 I am seeing this issue At first it was just our 13 inch MBA but now our 11 inch MBAs are doing it as well

mscheffler
New Contributor III

Seeing the same. Some students and staff had lost a SSL decryption certificate that we installed via a JSS policy. We had to flush the policy to reinstall the certificate.

widobesh
New Contributor

Experiencing the issue with our devices as well. Sometimes the AD password in the System keychain gets wiped, sometimes everything in the System keychain gets wiped. Rejoining to domain resolves the issue until it intermittently happens again.

Aaron
Contributor II

Did anyone end up finding a solution for this? I've seen an uptick of occurrences of this, but still unable to determine what causes it.

perryd
Contributor

Sorry to bring back an old thread but did anyone find a fix for this?

I'm finding a lot of machines in my company starting to show this issue. The system keychain renames its self or just locks and will not unlock even with the correct password.
This knocks out any internet access as we have all the security certificates loaded here and the domain wifi credentials.

Would love to know a fix as it's spreading to all devices slowly.

mscheffler
New Contributor III

perryd,

Don't know that anyone found a fix for the deleted keychains, but it has been a while since I've seen it happen. However, it sounds like you're talking about the keychain error pop-ups. Here's the fixes for those (or at least it fixes it temporarily):

  1. Apple's instructions for when a computer wants a login keychain password - https://support.apple.com/en-us/HT201609
  2. If it's the problem of it asking to use the "Local Items" keychain -Open the Users Library folder (option-click Go menu in the Finder), find and trash the folder with the long name of random characters, restart the computer, flush the history on any policies that installed to the keychains (like an Internet certificate)

bhart
New Contributor II

Does anyone have a solution on how to have Jamf Re-Deploy the configuration with the Certificates without re-enrolling? I am experiencing this issue when the user resets their password, they end up clearing the Keychain during the password reset (computers aren't directory joined)