Have have been testing the removal of admin rights for some of the users in our environment running on MacOS. One issues that has come up is the ability to change the password for Keychain "login". For a standard user that options is greyed out. If we grant them admin rights again that option returns.
I know they could just use the Users and Groups option in System Prefs to change the password, but some of our users change their password using a windows box and then want to come sync up the mac after the fact. Just doing a logout and log back in using the new password doesn't always prompt the sync.
Is there a plist file or some system file we can change permissions on to allow a standard user to change the login keychain. It seems strange that that would be locked down as its not really a system change.
Also just incase anybody wonders, yes the "lock" icon has been unlocked already, but the menu item still shows as greyed out.
Thanks for any help!
Our organization is rolling out a few tools for Data Loss Protection. We don't want the users to be able to remove that protection. We also want to limit software installation to approved installs. We do have some controls in place to limit this. But if someone has admin rights there is nothing stopping a knowledgeable user from getting around the controls.
@stonehill-jamf What version of Jamf Pro are you running? There's a known issue (fixed in 10.5) I believe whereby adding a "Security & Privacy" payload adds an additional "Restrictions" payload even though it's not visible in Jamf. Recommend that you download the profile manually and view the details so you can see if any restrictions are inadvertently causing this behaviour.
There's a great article on this here: https://derflounder.wordpress.com/2018/01/15/filevault-recovery-key-redirection-profile-changes-in-macos-high-sierra/
Personally I downloaded the configuration profile from Jamf, stripped the signing, edited the resulting plist, signed it and re-uploaded. Because it was signed, Jamf couldn't make any changes to the profile and only the settings I wanted (escrow of FV2 key) applied.