Skip to main content

Have have been testing the removal of admin rights for some of the users in our environment running on MacOS. One issues that has come up is the ability to change the password for Keychain "login". For a standard user that options is greyed out. If we grant them admin rights again that option returns.



I know they could just use the Users and Groups option in System Prefs to change the password, but some of our users change their password using a windows box and then want to come sync up the mac after the fact. Just doing a logout and log back in using the new password doesn't always prompt the sync.



Is there a plist file or some system file we can change permissions on to allow a standard user to change the login keychain. It seems strange that that would be locked down as its not really a system change.



Also just incase anybody wonders, yes the "lock" icon has been unlocked already, but the menu item still shows as greyed out.



Thanks for any help!

Why are you removing admin rights? I know this isn't a solution, but just let them have admin and your problem goes away. AFAIK there is no way to do what you are asking.

Our organization is rolling out a few tools for Data Loss Protection. We don't want the users to be able to remove that protection. We also want to limit software installation to approved installs. We do have some controls in place to limit this. But if someone has admin rights there is nothing stopping a knowledgeable user from getting around the controls.

I'm having the same issue of "Change password for Keychain login" being greyed out, even with an admin user. I have only one Configuration Profile for "Security & Privacy" for Enabling escrow of the filevault key. Is there somehow I could have inadvertently set this somewhere else?

Found a fix, not as user friendly but works.



The user would have to open a terminal prompt and type in "security set-keychain-password"
It will then prompt for Old PW and then New PW twice.



That seems to do the trick and works without admin rights.

Make a temporary new keychain, right-click it to make it default. Now you can change the password on the old keychain. Make the old one default again. You can now delete the temp keychain.

I'm also running into this issue anyone know why this is happening on 10.13?



security set-keychain-password does work fine for me but It's not great for users who need to change their keychain password.

@stonehill-jamf What version of Jamf Pro are you running? There's a known issue (fixed in 10.5) I believe whereby adding a "Security & Privacy" payload adds an additional "Restrictions" payload even though it's not visible in Jamf. Recommend that you download the profile manually and view the details so you can see if any restrictions are inadvertently causing this behaviour.



There's a great article on this here: https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/



Personally I downloaded the configuration profile from Jamf, stripped the signing, edited the resulting plist, signed it and re-uploaded. Because it was signed, Jamf couldn't make any changes to the profile and only the settings I wanted (escrow of FV2 key) applied.



You can make a temporary new keychain to resolve this:


Select Finder from the Dock.


Select Applications > Utilities.


Search for Keychain Access under Utilities.


Open Keychain Access.


On left navigation under Keychain Right-click > New Keychain and put a name (your GUID)
(I’ll mark it here as new_keychain_name)






Select Finder from the Dock.


Select Applications > Utilities.


Search for Terminal under Utilities.


Open Terminal.


Type whoami. Note the username that will be displayed - I’ll mark it here as username_displayed.
I’ll mark it here as new_keychain_name the new Keychain that needs to be set as default.


Type in Terminal the command: security default-keychain -s /Users/username_displayed/Library/Keychains/new_keychain_name.keychain-db
(replace both username_displayed and new_keychain_name with your identifiers)


Quit Keychain Access if already opened.


Open Keychain Access.


Open Keychain Access.


Right-click on the “login” Keychain under “Custom Keychains” (which is your old Keychain). Now you can change the password on the old keychain.


Make the old one default again using Terminal command: security default-keychain -s /Users/username_displayed/Library/Keychains/login.keychain-db
(Again, replace username_displayed with your identifier)


Quit Keychain Access.


Open Keychain Access.


You can now delete the temp keychain: Right-click on the “new_keychain_name” Keychain under “Custom Keychains” > Delete > Delete


You'll see the new_keychain_name listed under Default Keychains in the left-side panel.



Reply


Terms & ConditionsCookie settings