Keychain Item Syncing

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

You can configure Self Service+ to sync other user account passwords that are stored in the keychain with a network account. When configured, Self Service+ will change any specified keychain item passwords as a part of the password change process. For example, this could be used to sync a user's 802.1X Wi-Fi password or application passwords with their network account.

Variables can be used to substitute account information as needed. For a full list of variables supported by Self Service+, see State Settings and User Status for Self Service+. Additionally, you can change an account name to <<ANY>> and skip account name validation. This would sync any login keychain items where the Where value matches.

You specify which keychain items to update by configuring a dictionary of keychain item names and account names. The Sync Password with Internet Keychain Items (InternetItems) preference is used for internet keychain items, which are represented by a icon in Keychain Access. All internet keychain items must have the correct internet protocol of http or https to function properly. The Update Keychain Items (PasswordItems) preference is used for password keychain items, which are represented with a icon in Keychain Access.

Self Service+ can only update keychain items that exist in the user's local login keychain.

The <key> value for both of these preferences corresponds with the Where value of a keychain item in Keychain Access. This may not always match the Name value. The following screenshot shows where to find the Where value of a keychain item:

Use the following commands to test if Self Service+ will identify your internet items:

  • For the username match, use security find-internet-password -a "username".

  • For the internet protocol and server, use security find-internet-password -r htps -s hostname.or.IP.address -P 8443.

    • Enter the protocol of your keychain item after -r. Due to text length restrictions, https is reduced to htps.

    • Enter the hostname or IP address of the server you want to sync after -s.

    • Enter the port number located in the Where value of the keychain item after -P. If there is no port number, this is optional.

Use the following commands to to test if Self Service+ will identify your password items:

  • For the username match, use security find-generic-password -a "username".

  • For the application name, use security find-generic-password -l com.my.App.

See the macOS Local Account Management Settings Reference for all keychain settings.