“Well this is not a boat accident! It wasn’t any propeller! It wasn’t any coral reef! And it wasn’t Jack the Ripper! It was Keychain.”
Just uttering the dreaded word Keychain can cause a Mac user or Admin to break out in a cold sweat. We’ve all seen the pop ups.
<Cue the ominous music>
Apple first introduced the Keychain in Mac OS 8.6 as a means of providing a secure location for applications to store passwords to ensure users aren’t constantly being pestered for passwords every time they launch mail or connect to a network server.
Apple created the login keychain as the top level keychain and set it up to lock with the user’s login password, which is great…until it’s not.
DO WE HAVE A PROBLEM HERE?
When the user’s AD password is changed on the mac, there is no problem, but when an external solution is used to reset the password and macOS has no knowledge of that new password, well that is when the trouble starts.
Apple’s own mechanism to correct the issue has only led to more confusion. The three options the user is presented with leave most users confused and often choosing to continue with the keychain unlocked, causing all of the application warnings or causing them to delete their keychain and create a new one, which in turn means all application passwords and secrets are lost and need to be recreated.
KEEPING KEYCHAIN IN SYNC
With the most recent release of the Centrify DirectControl Agent for Mac (version 5.5.0) we have added a solution to keep your Keychain in sync when updating your AD password. Mac users have been struggling with this issue for some time leading to end user confusion, frustration and loss of productivity. Our solution will detect when a user’s AD password has been changed and prompt the user to get their passwords back in sync.
Centrify’s Keychain Sync feature will sync a user’s passwords after it has been changed in Active Directory and will give the option to store the AD password in the Keychain if the user wishes. If the admin enables the option to securely store the user’s AD password in the keychain, the next time they change their password they will only need to enter in their new AD password to sync their keychain.
This feature will solve the frustrating problems where the Mac Keychain password gets out of sync with the user’s AD password, resulting in application errors and confusing OS prompts. This will increase efficiency and reduce Help Desk calls.
GO BACK IN THE MAC
Now you won’t need a bigger boat because it’s safe to go back into your Mac again.
You can enable Keychain Sync by going to: Active Directory > Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Keychain synchronization
For more information about enabling Keychain synchronization, visit https://docs.centrify.com/en/centrify/macadmin/#page/macadmin%2Fadm_computerGPs_SecurityPrivacy.html%23ww1248136
Learn more about Centrify’s Mac management solution here.