Posted on 06-14-2018 10:52 AM
Have have been testing the removal of admin rights for some of the users in our environment running on MacOS. One issues that has come up is the ability to change the password for Keychain "login". For a standard user that options is greyed out. If we grant them admin rights again that option returns.
I know they could just use the Users and Groups option in System Prefs to change the password, but some of our users change their password using a windows box and then want to come sync up the mac after the fact. Just doing a logout and log back in using the new password doesn't always prompt the sync.
Is there a plist file or some system file we can change permissions on to allow a standard user to change the login keychain. It seems strange that that would be locked down as its not really a system change.
Also just incase anybody wonders, yes the "lock" icon has been unlocked already, but the menu item still shows as greyed out.
Thanks for any help!
Posted on 06-14-2018 04:35 PM
Why are you removing admin rights? I know this isn't a solution, but just let them have admin and your problem goes away. AFAIK there is no way to do what you are asking.
Posted on 06-15-2018 05:37 AM
Our organization is rolling out a few tools for Data Loss Protection. We don't want the users to be able to remove that protection. We also want to limit software installation to approved installs. We do have some controls in place to limit this. But if someone has admin rights there is nothing stopping a knowledgeable user from getting around the controls.
Posted on 06-19-2018 07:34 AM
I'm having the same issue of "Change password for Keychain login" being greyed out, even with an admin user. I have only one Configuration Profile for "Security & Privacy" for Enabling escrow of the filevault key. Is there somehow I could have inadvertently set this somewhere else?
Posted on 07-17-2018 10:25 AM
Found a fix, not as user friendly but works.
The user would have to open a terminal prompt and type in "security set-keychain-password"
It will then prompt for Old PW and then New PW twice.
That seems to do the trick and works without admin rights.
Posted on 08-28-2018 07:51 AM
Make a temporary new keychain, right-click it to make it default. Now you can change the password on the old keychain. Make the old one default again. You can now delete the temp keychain.
Posted on 09-13-2018 01:00 PM
I'm also running into this issue anyone know why this is happening on 10.13?
security set-keychain-password does work fine for me but It's not great for users who need to change their keychain password.
Posted on 09-13-2018 01:33 PM
@stonehill-jamf What version of Jamf Pro are you running? There's a known issue (fixed in 10.5) I believe whereby adding a "Security & Privacy" payload adds an additional "Restrictions" payload even though it's not visible in Jamf. Recommend that you download the profile manually and view the details so you can see if any restrictions are inadvertently causing this behaviour.
There's a great article on this here: https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/
Personally I downloaded the configuration profile from Jamf, stripped the signing, edited the resulting plist, signed it and re-uploaded. Because it was signed, Jamf couldn't make any changes to the profile and only the settings I wanted (escrow of FV2 key) applied.