Enable Keychain synchronization
Path
Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Keychain synchronization
Description
This group policy controls whether to enable keychain synchronization, which syncs the login keychain to the login user’s AD password when a password change is detected.
Note: Keychain synchronization is password-focused and should not be used in smart card environments.
Set the Password change detection interval (minutes) option to determine the time (in minutes) between checking for changed passwords. There is a random zero to five minute variance in the actual interval each device is checked for a changed password to maintain performance. As a result, the minimum interval is five minutes.
The default value is 30 minutes.
The Store AD password in the login Keychain option is used to streamline updates of the user's login Keychain password. If this option is enabled the Keychain Sync utility stores the user's AD password in the login keychain the next time the user logs in. If the password is changed after the policy is enabled but before the previous password is stored in the login keychain, the keychain sync application requests the previous password.
When this option is selected, the user's AD password is encrypted using a static AES256 key that is unique to that user and stored in the login Keychain as an application password. The key and password are added to the keychain using the SecItemAdd API. In additon, an Access Control List ensures that only the Keychain Sync utility can access the key used to encrypt and decrypt the password.
Centrify recommends disabling Auto Generate New Login Keychain before enabling this policy.
Please note the following limitations with the Store AD Password in the login Keychain option:
- This option only works on macOS 10.12 or later.
- The user’s AD password is inaccessible when the login keychain is locked.
The most common scenario that causes this is if a user’s AD password is changed and the user logs out before syncing the keychain, then logs back in. When the user logs back in, the password check fails due to the new password, locking the login Keychain and preventing the Keychain Sync utility from accessing it.
-
Password changes can only be detected when the machine is in connected mode.
User experience when the AD password is already stored in the login Keychain.
User experience when the AD password is not yet stored in the login Keychain.