Enable Keychain synchronization

Path

Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Keychain synchronization

Description

This group policy controls whether to enable keychain synchronization, which syncs the login keychain to the login user’s AD password when a password change is detected.

Note:   Keychain synchronization is password-focused and should not be used in smart card environments.

Set the Password change detection interval (minutes) option to determine the time (in minutes) between checking for changed passwords. There is a random zero to five minute variance in the actual interval each device is checked for a changed password to maintain performance. As a result, the minimum interval is five minutes.

The default value is 30 minutes.

The Store AD password in the login Keychain option is used to streamline updates of the user's login Keychain password. If this option is enabled the Keychain Sync utility stores the user's AD password in the login keychain the next time the user logs in. If the password is changed after the policy is enabled but before the previous password is stored in the login keychain, the keychain sync application requests the previous password.

When this option is selected, the user's AD password is encrypted using a static AES256 key that is unique to that user and stored in the login Keychain as an application password. The key and password are added to the keychain using the SecItemAdd API. In additon, an Access Control List ensures that only the Keychain Sync utility can access the key used to encrypt and decrypt the password.

Centrify recommends disabling Auto Generate New Login Keychain before enabling this policy.

Please note the following limitations with the Store AD Password in the login Keychain option:

  • This option only works on macOS 10.12 or later.
  • The user’s AD password is inaccessible when the login keychain is locked.

    The most common scenario that causes this is if a user’s AD password is changed and the user logs out before syncing the keychain, then logs back in. When the user logs back in, the password check fails due to the new password, locking the login Keychain and preventing the Keychain Sync utility from accessing it.

  • Password changes can only be detected when the machine is in connected mode.

ClosedUser experience when the AD password is already stored in the login Keychain.

  1. The login user receives a password change notification when his/her password is changed remotely.

  2. When the user clicks Yes on the notification, the Centrify Keychain Sync utility appears and asks for the current password to sync the keychain.

    After entering the current password and clicking OK, the Keychain Sync utility syncs the login keychain with the new password.

ClosedUser experience when the AD password is not yet stored in the login Keychain.

  1. The login user receives a password change notification when his/her password is changed remotely.

  2. When the user clicks Yes on the notification, the Centrify Keychain Sync utility appears and asks if the user remembers the previous password.

  3. The user clicks Yes or No.

    • If the user clicks No, the Keychain Sync utility creates a new login keychain.

    • If the user clicks Yes, the Keychain Sync utility asks for the previous and current passwords.

      After entering the previous and current passwords and clicking OK, the Keychain Sync utility syncs the login keychain with the new password.