Hi everyone,
I work in a large organization and my users are required to change their passwords every 30 days and they only use Apple Macs once a month so by the time they get back round to using their Mac the keychain needs updated but most users have forgotten their old password or press the "Continue Log In".
I am looking for a solution (like a script) that when a user logs out it clears their keychain.
You need to setup a logouthook script. See the following article for a discussion and example script.
http://www.amsys.co.uk/2015/02/delete-keychains-logout/?nabe=6486817002487808:0
and
https://jamfnation.jamfsoftware.com/discussion.html?id=16983
I did have a concern about the fact that loginhooks run as root and therefore was worried about logouthooks as well, but it seems from the above article and comments that it does work fine for finding and deleting the users keychains rather than roots or other users keychains.
One thing I would change is the path used as the one given will only work for local home directories and not network home directories. Try the following version of the script.
#!/bin/sh
rm -Rf $HOME/Library/Keychains/*
exit 0
Obviously test this change before rolling it out to users. Remember there can be multiple keychains, there is the standard login.keychain but could also be metadata.keychain, Microsoft_Intermediate_Certificates and folder(s) which represent the Local Items keychain.
Clear keychain at logout
