Jamf Nation Community

jhuls · ‎11-08-2017

Our wifi network is configured to where you have to supply our AD credentials to have access to it. On some of our systems that connect via wifi we have some Admin accounts where those with access to it have used their credentials to configure wifi while logged into that account and didn't remove it. This opens up issues where another person with access to the admin account can go into the keychain and see that person's password.

Is there a way through Casper that we could automate the removal of those credentials to protect everyone's password? Visiting each system to remove it manually is something we'd like to avoid. Ideally it would be nice if we could automate something to detect and remove this on a schedule because I'm sure it will continue to happen.

SGill · ‎11-08-2017

I don't know if this helps you or not (and be sure to test first), but here we purge Keychains in labs with every user logout. This has been working out great for us and has completely eliminated Keychain login headaches everywhere.

Just add it as a .sh script to the LoginWindow payload in the scripts tab in a Configuration Profile:

#!/bin/bash

user=$(ls -la /dev/console | cut -d " " -f 4)
rm -rf /Users/$user/Library/Keychains/*

exit 0

It is based on an older script posted here somewhere. You can have a separate profile that supplies 802.1x auto-join creds if you need to retain those. Be sure to use computer profiles and not user profiles.

mschroder · ‎11-09-2017

Have you looked at the 'security' command? It seems '/usr/bin/security delete-generic-password -a TheAccountThatShouldNotBeThere' should do what you want. With '/usr/bin/security find-generic-password' you can check beforehand whether the account is known on the machine / account in question.

Jamf Nation Community

Keychain question