Volume123
Level 1 (4 points)
Desktops

Q: Clear keychain at logout

Hi everyone,

 

I work in a large organization and my users are required to change their passwords every 30 days and they only use Apple Macs once a month so by the time they get back round to using their Mac the keychain needs updated but most users have forgotten their old password or press the "Continue Log In".

 

I am looking for a solution (like a script) that when a user logs out it clears their keychain.

Posted on Apr 20, 2016 2:37 AM

Close
Volume123

Q: Clear keychain at logout

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Apr 20, 2016 7:33 AM in response to Volume123
    Level 6 (9,265 points)
    Servers Enterprise
    Apr 20, 2016 7:33 AM in response to Volume123

    You need to setup a logouthook script. See the following article for a discussion and example script.

     

    http://www.amsys.co.uk/2015/02/delete-keychains-logout/?nabe=6486817002487808:0

    and

    https://jamfnation.jamfsoftware.com/discussion.html?id=16983

     

    I did have a concern about the fact that loginhooks run as root and therefore was worried about logouthooks as well, but it seems from the above article and comments that it does work fine for finding and deleting the users keychains rather than roots or other users keychains.

     

    One thing I would change is the path used as the one given will only work for local home directories and not network home directories. Try the following version of the script.

     

    #!/bin/sh

    rm -Rf $HOME/Library/Keychains/*

    exit 0


    Obviously test this change before rolling it out to users. Remember there can be multiple keychains, there is the standard login.keychain but could also be metadata.keychain, Microsoft_Intermediate_Certificates and folder(s) which represent the Local Items keychain.