Deleting Mac Keychains in an Active Directory Environment

Update: The easiest way to do this is actually to install Offset and then put a RemoveLastUserKeychains script into /usr/local/offset/logout-every (make sure it's owned by root:wheel and has 755 permissions).

What's the problem?

If you're in a primarily or exclusively Mac environment, but you're managing logins through Active Directory, password changes on the AD level confuse the local Macs, which will log you in just fine but will not know what to do with your previous login keychain.

One potential solution is to delete the keychains after a mandatory password change... or just at a regular interval. Here are two ways to do that.

Method #0: Use a Launch Agent

Go to Deleting keychains at user logout for the best way to do this.

Method #1: Use a Logout Hook

Why you might not want to use the logout hook

Apple deprecated the login/logout hooks as of Mac OS X 10.4 (Tiger), and—as of this writing—we're up to OS X 10.10 (Yosemite), and the hooks still work. In theory, though, Apple could yank support for the login/logout hooks at any time.

Credit where credit is due...

If you'd like to use a logout hook, this is what you do (credit to How to delete Keychains at logout for being the basis of these instructions).

Instructions

Make a location for your script

Amsys recommends creating one special for your organization (they use /Library/amsys, and we would use /Library/siprep), so create one appropriate for your organization.

In the terminal, you can create that directory using this command:

sudo mkdir -p /Library/nameofyourorg

Make your script

To make the script, you can use the graphical text editor of your choice (e.g., TextWrangler or Sublime Text). If you prefer Mac OS X's built-in TextEdit, just be sure you're saving as plain text and not rich text format. Just remember, once you copy the script to /Library/nameofyourorg, that you need to change ownership of the file to root (owner) and wheel (group).

A simple way to use the terminal to make the script (and avoid having to change ownership of the file later) is to just use the built-in text editor, nano:

sudo nano /Library/nameofyourorg/CleanKeychain.sh

Then, paste in this code:

#!/bin/sh
rm -Rf /Users/$1/Library/Keychains/*
exit 0

Then save (Control-X).

Amsys had $USER instead of $1, but I couldn't get the script to work unless I used $1.

Make the script executable

Whether you used a graphical text editor or a terminal based one, you'll still want to change the permissions on the file so anyone can execute it:

sudo chmod 755 /Library/nameofyourorg/CleanKeychain.sh

Add your script to the logout hook

To get the logout to invoke your script, use this command

sudo defaults write com.apple.loginwindow LogoutHook /Library/nameofyourorg/CleanKeychain.sh

Method #2: Use a Launch Daemon at boot time

Introduction

This second method uses a Launch Daemon (which is not deprecated), but it also assumes you will reboot the machine from time to time (for example, if you have your machines scheduled to reboot every night or every weekend).

The advantage, of course, is that if Apple decides to no longer support the logout hook, this method will likely still work. The disadvantage is that this will work only when you reboot the machine and not every time a user logs out.

I haven't found a way to successfully create a launchd process that executes at logout (instead of just login). someone on Stack Exchange claims to have been able to do it, but I couldn't replicate those steps with success.

So what this does is, at boot time at a system level, just delete all user keychains.

Instructions

Create the shell script

Similarly to the other method, we're going to create (if it doesn't already exist yet), a custom directory for your organization:

sudo mkdir -p /Library/nameofyourorg

Then make the script (again, you can do this in your favorite graphical text editor, move it over to the directory, and then change ownership to root user and wheel group, but this is a fairly straightforward way to do it one fell swoop without having to change ownership later):

sudo nano /Library/nameofyourorg/CleanKeychains.sh

In the text editor, paste in:

#!/bin/sh

# Delete keychains for all users
rm -rf /Users/*/Library/Keychains/*

exit 0

Then save (Control-X).

Make it executable

sudo chmod +x /Library/nameofyourorg/CleanKeychains.sh

Create the Launch Daemon

You're going to create a custom .plist file

sudo nano /Library/LaunchDaemons/local.clean.keychain.plist

In the text editor, put in:

<plist version="1.0">
<dict>
<key>Label</key>
<string>local.clean.keychain.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/nameofyourorg/CleanKeychains.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

Save the file (Control-X) and reboot.

2 thoughts on “Deleting Mac Keychains in an Active Directory Environment”

Leave a Reply

Your email address will not be published. Required fields are marked *