Deleting keychains at user logout

Update: The easiest way to do this is actually to install Offset and then put a RemoveLastUserKeychains script into /usr/local/offset/logout-every (make sure it's owned by root:wheel and has 755 permissions).

Backstory

This is a sequel to Deleting Mac Keychains in an Active Directory Environment, which talked about a way to delete keychains at logout using the (Apple-deprecated but still functional in Yosemite) logout hook or using a Launch Daemon that deletes all keychains at boot time.

The obvious downsides to those two methods are one being deprecated (so possibly not supported in the release after Yosemite) and the other running only at boot time (which doesn't take into account a user changing a password twice before the machine has a chance to reboot).

With a little trial and error and immense help from this post on StackExchange by a user named Haravikk, I've pieced together the exact steps to delete the user keychains at logout using a Launch Agent.

Create the shell script

We're going to create (if it doesn't already exist yet), a custom directory for your organization:

sudo mkdir -p /Library/nameofyourorg

Then make the script (again, you can do this in your favorite graphical text editor, move it over to the directory, and then change ownership to root user and wheel group, but this is a fairly straightforward way to do it one fell swoop without having to change ownership later):

sudo nano /Library/nameofyourorg/LogoutCleanKeychains.sh

In the text editor, paste in:

#!/bin/sh
onLogout() {
# Add entry to a log file
echo "$(date) - Keychain deleted" >> ~/Library/Logs/NAMEOFYOURORG.log

# Delete the keychains for this user
rm -rf ~/Library/Keychains/*

exit
}

trap 'onLogout' SIGINT SIGHUP SIGTERM
while true; do
sleep 86400 &
wait $!
done

Then save (Control-X).

Make the script executable

sudo chmod +x /Library/nameofyourorg/LogoutCleanKeychains.sh

Create the Launch Agent

You're going to create a custom .plist file

sudo nano /Library/LaunchAgents/local.logoutcleankeychains.plist

In the text editor, put in:

<plist version="1.0">
<dict>
<key>Label</key>
<string>local.logoutcleankeychains.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/nameofyourorg/LogoutCleanKeychains.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>EnableGlobbing</key>
<true/>
</dict>
</plist>

Save the file (Control-X) and reboot.

The Launch Agent will then run every time a user logs in, and then it'll run the shell script every time a user logs out.

6 thoughts on “Deleting keychains at user logout”

  1. Thanks for this, Alan!

    I’m an educational technologist for an ESL program at a university, and one of my duties is to maintain the institution’s student and teacher computers. One of the most common issues which users face is keychain errors. I’ve been pestering the official IT team of the university on and off for years regarding persistent keychain issues caused by our AD environment and our aggressive forced-password-change policy, but I’ve always gotten back the answer that the IT folks are still “studying the problem” or that it’s something best addressed on a user-by-user basis.

    I’m fundamentally a classroom technology person. Because basic infrastructure issues like university user accounts are beyond my purview and beyond my control, I’ve been hesitant to implement potentially-destructive machine-side scripts to handle university account-related issues. However, after all this time spent pulling my hair out with no support from university IT, I decided to just damn the torpedoes and go for it. So far, it looks like these scripts are working beautifully! I’m doing a trial deployment right now on just a few machines, but if no problems arise, I’ll do a global rollout to all our program’s computers.

  2. Hi Alan,

    Thanks for writing up a thorough article! I do have a question – where it says:

    # Delete the keychains for this user
    rm -rf ~/Library/Keychains/*

    Our computers are domain joined to a forrest of two domains. Our user structure looks like this once users login:

    users/local/college1/useraccountname
    users/local/college2/useraccountname
    users/adminaccount

    I tried each of the instructions above several times for this, but it doesn’t work for me. We’re running macOS sierra. Any advice would be immensely appreciated!

    1. I may have spoke too soon – I can get the script to remove the user keychains.. now to work on scheduling it correctly..

  3. Hi Alan,

    Wondering if you could help me? Great article but I have come a bit unstuck! I have installed offset and have deployed the script. For my local administrator localadmin, it is fine and works without an issue.

    The issue I have is that all of our students have full redirection on and their Library folder is created on the network in their home drive. If I go to /Users as a student, I only see my localadmin account and the Shared folder but nothing for the student who is logged in. The script logs that the keychain was removed when infact it wasn’t. I have tried editing the path in the script to /home/ with no joy – Just wondering if you had any suggestions?

    Thanks in anticipation

    1. You’d have to delete it from the network, but it sounds as if that gets disconnected when the student logs out. That’s a bit tricky. Unfortunately, I don’t have a ton of experience with network-hosted home directories. Maybe instead of a logout script, you can do a boot-every with Outset and clean out the keychains at reboot on a machine you reboot once a day?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.