Jamf Nation Community

m_higgins · ‎03-10-2016

Would anyone have any idea on how to script a logout hook to remove the entire login keychain of the user logged in?

davidacland · ‎03-11-2016

@m.higgins that would be:

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*

exit 0

View solution in original post

joshuasee · ‎03-11-2016

My version, which backs up the old one in case a need for it arises:

#!/bin/bash
#
# Deletes the user keychain folder.

backup_name="keychain_backup_`/bin/date +"%Y_%m_%d_%H%M"`.gz";
target_user=$3;
folder_path="$(/usr/bin/id -P $target_user | /usr/bin/cut -d: -f9)/Keychains/";
/usr/bin/ditto -ck "$folder_path" "$folder_path../$backup_name";
/bin/rm -rf "$folder_path";
/usr/bin/su $target_user -c "/bin/mkdir -p "$folder_path"";

View solution in original post

dpertschi · ‎03-10-2016

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/login.keychain

exit 0

Ran as a policy triggered by Logout.

Nix4Life · ‎03-10-2016

You could also try Alan Siu's Offset here
which is an offshoot of Outset

m_higgins · ‎03-11-2016

Thanks @dpertschi but this hasn't rectified my problem.

We have our managed clients bound to Active Directory, as soon as a user changes their AD password it flags up issues with the login keychain. I was hoping removing it on logout would rectify it but it doesn't

m_higgins · ‎03-11-2016

Would there be a way to remove everything in the users keychain folder?

bentoms · ‎03-11-2016

@m.higgins Have you tried ADPassMon?

davidacland · ‎03-11-2016

@m.higgins that would be:

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*

exit 0

apizz · ‎03-11-2016

what @davidacland said. You need delete more than just the login.keychain from the user's Keychains folder. There's a folder as well which is unique to the user.

We're looking to deploy ADPassMon in the near future to (hopefully) streamline the process a bit because we too use AD.

joshuasee · ‎03-11-2016

My version, which backs up the old one in case a need for it arises:

#!/bin/bash
#
# Deletes the user keychain folder.

backup_name="keychain_backup_`/bin/date +"%Y_%m_%d_%H%M"`.gz";
target_user=$3;
folder_path="$(/usr/bin/id -P $target_user | /usr/bin/cut -d: -f9)/Keychains/";
/usr/bin/ditto -ck "$folder_path" "$folder_path../$backup_name";
/bin/rm -rf "$folder_path";
/usr/bin/su $target_user -c "/bin/mkdir -p "$folder_path"";

m_higgins · ‎03-15-2016

Excellent responses one and all

Fixed the problem perfectly

gbunner · ‎12-15-2016

Hello,

Quick question. To make this work, would I need to create a script out of the code above, then place it in the scripts part of the policy that I've created (after uploading it to the JSS of course)?

Thanks!

SGill · ‎12-15-2016

It's been a big help for my lab macs...thanks!

Jamf Nation Community

Remove login Keychain logout hook