Deleting keychains at user logout

Update: The easiest way to do this is actually to install Offset and then put a RemoveLastUserKeychains script into /usr/local/offset/logout-every (make sure it's owned by root:wheel and has 755 permissions).

Backstory

This is a sequel to Deleting Mac Keychains in an Active Directory Environment, which talked about a way to delete keychains at logout using the (Apple-deprecated but still functional in Yosemite) logout hook or using a Launch Daemon that deletes all keychains at boot time.

The obvious downsides to those two methods are one being deprecated (so possibly not supported in the release after Yosemite) and the other running only at boot time (which doesn't take into account a user changing a password twice before the machine has a chance to reboot).

With a little trial and error and immense help from this post on StackExchange by a user named Haravikk, I've pieced together the exact steps to delete the user keychains at logout using a Launch Agent.

Create the shell script

We're going to create (if it doesn't already exist yet), a custom directory for your organization:

sudo mkdir -p /Library/nameofyourorg

Then make the script (again, you can do this in your favorite graphical text editor, move it over to the directory, and then change ownership to root user and wheel group, but this is a fairly straightforward way to do it one fell swoop without having to change ownership later):

sudo nano /Library/nameofyourorg/LogoutCleanKeychains.sh

In the text editor, paste in:

#!/bin/sh
onLogout() {
# Add entry to a log file
echo "$(date) - Keychain deleted" >> ~/Library/Logs/NAMEOFYOURORG.log

# Delete the keychains for this user
rm -rf ~/Library/Keychains/*

exit
}

trap 'onLogout' SIGINT SIGHUP SIGTERM
while true; do
sleep 86400 &
wait $!
done

Then save (Control-X).

Make the script executable

sudo chmod +x /Library/nameofyourorg/LogoutCleanKeychains.sh

Create the Launch Agent

You're going to create a custom .plist file

sudo nano /Library/LaunchAgents/local.logoutcleankeychains.plist

In the text editor, put in:

<plist version="1.0">
<dict>
<key>Label</key>
<string>local.logoutcleankeychains.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/nameofyourorg/LogoutCleanKeychains.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>EnableGlobbing</key>
<true/>
</dict>
</plist>

Save the file (Control-X) and reboot.

The Launch Agent will then run every time a user logs in, and then it'll run the shell script every time a user logs out.

4 thoughts on “Deleting keychains at user logout”

  1. Thanks for this, Alan!

    I’m an educational technologist for an ESL program at a university, and one of my duties is to maintain the institution’s student and teacher computers. One of the most common issues which users face is keychain errors. I’ve been pestering the official IT team of the university on and off for years regarding persistent keychain issues caused by our AD environment and our aggressive forced-password-change policy, but I’ve always gotten back the answer that the IT folks are still “studying the problem” or that it’s something best addressed on a user-by-user basis.

    I’m fundamentally a classroom technology person. Because basic infrastructure issues like university user accounts are beyond my purview and beyond my control, I’ve been hesitant to implement potentially-destructive machine-side scripts to handle university account-related issues. However, after all this time spent pulling my hair out with no support from university IT, I decided to just damn the torpedoes and go for it. So far, it looks like these scripts are working beautifully! I’m doing a trial deployment right now on just a few machines, but if no problems arise, I’ll do a global rollout to all our program’s computers.

  2. Hi Alan,

    Thanks for writing up a thorough article! I do have a question – where it says:

    # Delete the keychains for this user
    rm -rf ~/Library/Keychains/*

    Our computers are domain joined to a forrest of two domains. Our user structure looks like this once users login:

    users/local/college1/useraccountname
    users/local/college2/useraccountname
    users/adminaccount

    I tried each of the instructions above several times for this, but it doesn’t work for me. We’re running macOS sierra. Any advice would be immensely appreciated!

    1. I may have spoke too soon – I can get the script to remove the user keychains.. now to work on scheduling it correctly..

Leave a Reply

Your email address will not be published. Required fields are marked *