Check for a corrupted keychain

Ever had a user told you that all of their safari items are gone? Or that they get a weird prompt when they logged in and they're not sure what to do with it?

8 months ago   •   3 min read

By macstuff

The keychain works in mysterious ways, well not that mysterious but there are points in time when it breaks. You probably know very well that if you change your password in any other way than Mr. Tim Apple intended it to be you will get an amazing pop-up like below.

Well, the user will get this pop-up. They will press "OK" and return to their normal working day. But in the background, a ton of things are broken! If you're an extensive user of Jamf Pro and have integrations like AD CS, Conditional Access (Intune), or do other fancy stuff that works with the login keychain. The user might not be able to access everything. Even better, maybe the user doesn't need everything because they're either working from home and therefore doesn't need that fancy user certificate to connect to WiFi. Maybe you haven't configured condition access compliancy as a requirement to access company data.

On your end, stuff is broken - the device is no longer connecting to Intune and as soon as the user wants to use VPN or goes to the office they log a ticket complaining that all is broken. Well, that's because the keychain could no longer be unlocked with the password that the user used to log in to their account. macOS will move the login.keychain in a backup state.

The backup state looks something like this: "" and contains all the lovely keys and certificates that you deployed to the login keychain. If you know the password for the keychain you could put this back, but tough chance that you will be able to restore this.

At one point in 2021, there was an issue with an unnamed vendor that made the keychain corrupt. When looking for keychains it scanned for everything in "~/Library/Keychains", Opened them for reading, and searched for a certificate matching a defined criteria. However, under certain circumstances, macOS decides to "convert" a keychain when it is being opened. For that, it creates backup files, and sometimes (when two apps try to access the same keychain) there is a collision in these files that makes macOS believe that the keychain is corrupted, leaving a backup file behind.

To check for this behavior I created an extension attribute to check if the keychain had gone corrupt in the last 2-3 days. It will simply tell you if the keychain has backup file in place:

This script can also be used to monitor if any user had their keychain corrupted. You can then reach out to them and verify if everything is still in order. You could of course also link this to a smart computer group and remediate any issues that are known when the keychain goes corrupt.

Check out this script on Github! Github doesn't allow embedding so I used a tool for this. The script above may be old, always check out my repositories!

extension-attributes/ at main · macstuffdev/extension-attributes
Extension Attributes for Jamf Pro. Contribute to macstuffdev/extension-attributes development by creating an account on GitHub.

Something you want to see? Something you want to know? Email me at [email protected] and I’ll consider it!

Feedback about my site or content? Contact me at [email protected]

Spread the word

Keep reading