pwpolicy keychain issue

Yager
New Contributor III

For background, we are using DEP and want to force a password change to the users account once we deliver the machine. So we create the account out of the box, the machine logs in and policies apply, and then when we deliver the machine they have to change their pw.

The policy runs a simple script:

sudo pwpolicy -u $USER -setpolicy "newPasswordRequired=1"

The script works great and when you reboot the user is forced to change the password. The problem is that we are getting popups at login for "talagent wants to use the "Local Items" keychain," "Messages Agent wants to the use the "Local Items" keychain," and "cloudpaird wants to use the "local items" keychain."

This is a persistent error until removing ~/Library/Keychain/reallyLongString which isn't a viable solution, especially since the string is different every time.

Are other people seeing this issue? Or are you forcing a pw change via a different method?

1 ACCEPTED SOLUTION

nkalister
Valued Contributor

I've used a similar method to mm2270's to deal with this, but I found occasionally machines would have a UUID for the local items keychain that didn't match the UUID from IOPlatformExpertDevice. To deal with that, I started using grep to look for any keychain in the user's directory with a UUID in the name:

#!/bin/sh
loggedInUser=$(stat -f%Su /dev/console)
icloudKeychainCheck=$(ls /Users/${loggedInUser}/Library/Keychains | grep ........-....-....-....-............)
if [[ $icloudKeychainCheck != "" ]]; then
    rm -r /Users/${loggedInUser}/Library/Keychains/$icloudKeychainCheck
fi

Doing it that way will detect the local items keychain no matter what UUID is in the directory name.

View solution in original post

7 REPLIES 7

mm2270
Legendary Contributor III

@Yager-
The Local Items Keychain has been a consistent thorn in almost everyone's sides now for several years.
@bentoms has a great write up on his blog about it and how and why it gets out sync - https://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/

Fortunately, the Local Items Keychain's long string should match up with the Mac's UUID, so its actually possible to script deleting it.

#!/bin/sh

loggedInUser=$(ls -l /dev/console | awk '{print $3}')
UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}')

if [ -d "/Users/${loggedInUser}/Library/Keychains/${UUID}" ]; then
    echo "Found Local Items Keychain. Deleting it."
    rm -R "/Users/${loggedInUser}/Library/Keychains/${UUID}"
else
    echo "No Local Items Keychain found for $loggedInUser"
fi

nkalister
Valued Contributor

I've used a similar method to mm2270's to deal with this, but I found occasionally machines would have a UUID for the local items keychain that didn't match the UUID from IOPlatformExpertDevice. To deal with that, I started using grep to look for any keychain in the user's directory with a UUID in the name:

#!/bin/sh
loggedInUser=$(stat -f%Su /dev/console)
icloudKeychainCheck=$(ls /Users/${loggedInUser}/Library/Keychains | grep ........-....-....-....-............)
if [[ $icloudKeychainCheck != "" ]]; then
    rm -r /Users/${loggedInUser}/Library/Keychains/$icloudKeychainCheck
fi

Doing it that way will detect the local items keychain no matter what UUID is in the directory name.

Yager
New Contributor III

Thank you to both of you! I tested the second resolution based on the additional troubleshooting and that worked. The first solution likely also works as well. Thanks again.

bentoms
Release Candidate Programs Tester

Ohh @nkalister that's nice.

Might have to pinch that!!

GabeShack
Valued Contributor III

With AD users does this get recreated thought each time their password is reset? Is there a way to have this silently remove the local keychain item anytime a password is changed? Or do you just set this to happen on each logout or restart?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

nkalister
Valued Contributor

I don't believe an AD account would change anything here. The local items keychain is related to your iCloud password, so I don't believe the AD password change would trigger anything.
We do not bind to AD, though- can someone who does bind to AD confirm the behavior?

bentoms
Release Candidate Programs Tester

@gshackney & @nkalister when an AD users password is changed, the login.keychain password is updated... However the local items keychain is not.

So if the 1st password is password1 & then 3 password changes later the person forgets their passwords, the local items keychain will still be password1.

Hence me forking ADPassMon to reset the local items keychain when needed.