Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of Mac OS, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP. 'Mac OS X 10.5 Help - Changing your keychain password'.
I know this topic has been brought up many times, but I still have not found an ideal solution to our particular situation, so I wanted to get some input from you folks. I know it's not exactly a jamf issue but.
We do not allow our users to set their own passwords. The reason for this is that we have multiple services our teachers and students use and we manage, and some of these use LDAP while others require us to set the password for the user. To keep things consistent and avoid daily 'I forgot my password' situations, we control the passwords for all users.
I realize this is not ideal from a security standpoint, but it is necessary for our situation. We change passwords for teachers once a year. As you all know, OS X displays a cryptic (to most users) dialog prompting them to update their keychain password after an AD password change. We do not want to panic our teachers, so right now we are thinking that we will try to communicate the steps they need to take when they all get back on campus, and then change the passwords the next day. Does anybody else have a similar situation and a better way to deal with it?
Some things we have tried: KeychainMinder. The problem: I can't get it to come up before the system dialog. It only comes up after the original prompt, which doesn't help avert the aforementioned panic. A script with a database of the username, old password, and new password to change the keychain password via the 'security' command line tool. This seems to work sometimes, but at other times it seems to set the keychain password to something that is neither the old or new password, and ends up with a completely inaccessible keychain that has to be reset (deleted and replaced with a new empty keychain).
What I would like to see: Apple to release an API that would allow jamf to update the keychain password. I guess there might be security implications with this, but it would certainly be helpful for us. I know this is not what you want to hear, but you really need to re-evaluate your processes. Passwords are only being changed once a year and are obviously stored somewhere in plaintext (or communicated in plaintext to users, who do not change them later). Multiple people have access to user passwords. This would fail any security audit, and if student records can be accessed through these mechanisms, you could be facing a breach that could release personal information.
This is a very bad scenario. But to answer your question, I would just train your users on how to handle the keychain update prompt, since I doubt you are able to properly secure password changes with your setup (database-scripts). You can turn this loginwindow keychain update option off.
![Keychain Keychain](/uploads/1/2/5/4/125498075/611261244.png)
![Password Password](/uploads/1/2/5/4/125498075/582070672.jpg)
Here are the commands I used to disable for my own account: To disable: defaults write com.apple.keychainaccess SyncLoginPassword -bool false To enable: defaults write com.apple.keychainaccess SyncLoginPassword -bool true This is a per-user setting and is stored in /Users/username/Library/Preferences/com.apple.keychainaccess.plist You should also be able to control this setting with MCX. For more information on this setting, see this post. Besides the posted suggestions and remarks, I think a big issue here is that the passwords only change once a year. Given this, you can't expect the teachers to even remember what they need to do when the Apple keychain dialog comes up. Who would recall what the procedure is if they only saw it 12 months ago?
Some of them may even be new staff who have never seen it. Like alexjdale said, you really should consider changing this entire process. If you really must keep it the way it is with IT changing the passwords for them, then at least consider doing it more frequently. That will help a little on the security side and also get users used to how to update their login keychain password. Like I said, I understand the situation is not ideal, but I'm sure you all know that processes evolve out of the needs you have, and trying to rubber-stamp a new process onto an existing system is not something we can afford to do right now. I looked at the practicals of changing the system recently, and I'm pretty sure we would have a revolt on our hands if we tried to do it right now. We will probably try rtrouton's suggestion for now.
That will allow us to use keychain minder to have them reset their passwords. I know this is an old thread but I thought I would add my experience using keychain minder. While we don't have the same password change process as nextyoyoma, our Mac users utilize many other platforms including Windows systems, Citrix systems, and other remote systems; so they could change their password anywhere. I used rtrouton's suggestion and disabled the password sync to disable the default keychain prompt from popping up in Mavericks during logon. While this works, and the keychain minder app does pop up after logging on, other services that use the keychain such as a wireless connection will pop up in front of the Keychain minder window asking for the password. This is really not that ideal and would cause further confusion. I actually have no issues with the default keychain password change prompt in mavericks other than it isn't very clear what it is for to a non-technical user.
I wish there was some way I could just alter the text of the default keychain prompt that apple provides. We have decided to stick with the default apple notification for now. We will try and communicate the process to the end users and support staff as best we can for the time being until a better solution becomes available. Disclaimer: everything we support is bound to active directory, managed-mobile accounts-admin rights, password changes every 90 days, we've got about 1500 Macs managed by our JSSes and another 500 odd running amok in the wild. I'm honestly in disbelief at how many people fight against keychains rather than trying to tame them - in our organization and outside. It absolutely isn't clear to a non-technical person when you're being prompted - but we try very hard to train clients and support staff to focus on the difference between a 'current access password' and a 'current login keychain'.
The single best document for doing this is; I've never had an issue with keychains synchronizing (9+ years and counting) - even when i've been using my laptop off the network with a recent password change, as designed, the next time it talks to our AD server i'm prompted to enter my current login keychain password so that it can be updated/synchronized with my account access password. Up until literally yesterday the troubleshooting process somewhere in our organization involved.anything keychain related.delete it and start again. I've narrowed this information down to a single mis-informed support staff member.everyone else is being instructed to only ever delete keychains if the user has completely forgotten their password - otherwise you synchronize them, and worst case, delete an offending keychain entry if an old password is set somewhere that's causing an account to be locked after 'x' many incorrect attempts. As always, your mileage may vary in your environment - happy wrangling.
I changed my password recently and now I'm getting locked out. How do I update my saved passwords? On This Page. Click Start Control Panel User Accounts Credential Manager. Note: If 'View by' is set to Category, click User Accounts first, and then click Credential Manager. Select the Windows Credentials option.
Locate the set of credentials that you want to update/remove and then expand the corresponding folder. Then click Remove from Vault or Remove (depending upon which version of Windows you are running). Repeat step 3 for any additional sets of credentials 1) Open the Mac Keychain. Click Finder Go Utilities Keychain Access.
2) In Keychain Access, select the Passwords category on the left to review the list of sites and services for which you've saved a password. 3) Right-click the service you want to edit/remove, then left-click Delete. This only includes passwords saved in Safari, the default Internet browser. Open the ‘Settings’ menu. Click on ‘Safari’ then under general, click on ‘Passwords & AutoFill’.
Click on ‘Saved Passwords’. If your device has a passcode, you will need to enter it. A list of saved accounts will be displayed. Click on ‘Edit’. Click on the account you want to delete the saved password for. You can select multiple accounts by placing a tick next to each account. Click ‘Delete’ in the top left.
Click the ‘Delete’ button to confirm. The password will now be removed.
Launch your Browser, usually Chrome. Open the Menu and select Settings.
Select Privacy. Select Clear Browsing Data. Check Clear saved passwords and Clear autofill data, and then choose Clear.