FR: Help the Keychain not Suck

I am well aware that this is not a desirable or fully accomplishable task.

With ADPassMon, we previously disabled the Mac's built-in Keychain sync ability (defaults write ~/Library/Preferences/com.apple.keychainaccess SyncLoginPassword -bool false) so we could present the user with our own message via the application and update the keychain this way.

There are two problem's with Apple's current way of handling the Keychain not being in sync. The message has very small text and while it does explain that the user has to enter their old password in order to update the Keychain, the window that appears after clicking "Update the Keychain" does not reinforce this fact and since most people disregard this initial message in the first place, this causes problems.

There are a number of things I would like to see to help alleviate this problem:

1. I would like NoMAD to automatically check on launch whether or not the user's Keychain password is in sync. This might interfere with the current implementation of the UPCAlert and/or SignInWindowOnLaunch and as such priority for the Keychain would have to be established. In my experience if the Keychain is not in sync and the user goes through the UPCAlert Sign-In process, NoMAD will get stuck and stop responding (I'm going to make this a separate issue).

• One of the challenges when the user's Keychain is not in sync, is that messages that are configured to appear in the middle of the window fall secondary to any application prompts that might also appear. So even in the case of ADPassMon, you would have to move the OS's Keychain prompt(s) in order to access the application's generated Keychain message.

2. When the user's Keychain is not in sync, present a prompt with a default message or one specified via NoMAD preferences (KeychainSyncMessage) and have this appear immediately below the NoMAD menu item at the top in order to get around the issue mentioned above. In this message I'm looking to accomplish the following:

• Message that quickly tells the user what the problem is (or custom message) with a single "Fix Keychain" button.

3. Clicking "Fix Keychain" would open a second window, much like the existing Change Password window, albeit for the Keychain with two buttons to allow the user to either "Update Keychain" or "Create New Keychain".

• The Update Keychain button would only be accessible after entering their old password and new & verify password.
• The Create New Keychain button would always be available (but not the default button) so users would have to manually choose to start from scratch.

4. The following possible actions would occur based on the information the user entered:

• Selects Update Keychain - If their current password was incorrect (aka did not unlock the keychain), present a message indicating this and suggest creating a new keychain if they don't remember.
• Selects Update Keychain - If their new / verify password were incorrect, present a message indicating this.
• Selects Update Keychain - If their new / verify password did not match, present a message indicating this.
• Selects Update Keychain - If all was correct, unlock and update user's Keychain password and present a message indicating if this completed successfully. Make a note that you will likely need to click "Cancel" on any existing Keychain related messages.
• Selects Create New Keychain - present window informing the user that any of their previously saved passwords on the machine will be gone and force the user to confirm this: two buttons "Update Keychain" and "Cancel". If verified, create new Keychain for user and inform them of the successful creation of the new Keychain

5. Lastly, if possible, make the possible results & messages for some of the described actions above into their own preferences:

• KeychainNotInSyncMessage
• KeychainSyncUpdateSuccessMessage
• KeychainSyncUpdateFailMessage
• KeychainSyncCreateNewVerifyMessage

Just to be clear, this is "perfect world" for me. I would love other ideas to fix a problem that I know has long been an issue for Mac Admins.

Very well organized! So thanks for much for putting this flow down.

In order:

1. We have the detection going, so that's easy. I'll have some thoughts on the interaction of this with UPCAlerts. That needs to be cleaned up regardless. Also, I can check for a locked keychain before showing the sign in window, so that's not too hard.

2. By prompt you mean a window? Just move it away from the center of the screen so it isn't hidden, or, alternatively, make sure it's in front of the Apple prompt. And a Notification here isn't enough, I'm guessing?

3. Remove any "cancel" button?

4. Most of this was already in the plans. I do like the idea of warning them if they pick a new keychain, that everything else is going away.

5. That's a good list, and also solves the localization problem, at least sort of. Adding in all this new text into the UI will require localizing it, so having pref keys for everything allows people to localize on their own until we can get it done properly.

We have the detection going, so that's easy. I'll have some thoughts on the interaction of this with UPCAlerts. That needs to be cleaned up regardless. Also, I can check for a locked keychain before showing the sign in window, so that's not too hard.

I know ADPassMon did this, but sometimes for whatever reason it wouldn't appear. You'd have to manually choose "Refresh Kerberos Ticket" to then get the Keychain prompt window to appear which our users wouldn't know to do.

By prompt you mean a window? Just move it away from the center of the screen so it isn't hidden, or, alternatively, make sure it's in front of the Apple prompt. And a Notification here isn't enough, I'm guessing?

Yes, I mean a dialog window. At least with the latest 1.0.5 beta I've tested, the window currently appears to the bottom left. Ideally, if it can be put in front of the OS process keychain prompts that would be awesome. If that's not possible, in my mind it should be at the top of the screen in the middle.

Is it possible that if the NoMAD dialog window for the Keychain that is currently the "active" window becomes inactive (the user clicks into Google Chrome, for example) could NoMAD make itself active again, thereby really forcing the user to deal with this?

Remove any "cancel" button?

Most definitely. Having the option to ignore this only causes more issues.

Most of this was already in the plans. I do like the idea of warning them if they pick a new keychain, that everything else is going away.

Excellent. This wouldn't be so critical for our students, but definitely for our Faculty.

mentioned in issue #164

changed milestone to %V. 1.1

will be adding this to v. 1.1

Just to add on progress of this feature, I like the box that appears when the new password does not meet the requirements, but I think it could be better.

• Because the password requirements not met text is in a text box, it can be deleted and is not as easy to close - there's no x or button to press. The text also doesn't have great spacing at the top (see image) and is missing grey lines along the top and right side of the text box.

• When more than 4 password requirements are not met, the additional requirements aren't displayed unless you click in the text box and press the down arrow. For whatever reason you can't scroll.

I really like the fact that the question mark button in the Change Password window displays a dialog box that slides from the top with a button. Both the presentation and the ease of closing the window is better.

• Scroll bars should be easy to add to the popup, so that should help

• I'm open to doing this a better way, however. Things that the popup have going for it 1) it matches the Apple style in the Accounts pref pane, although I'm not sure how many users have actually used that, 2) it doesn't take the focus completely away from the password field.

Doing this via a whole new window, like the password policy, would be easy... However, it may be a bit jarring to the user.

Thought - move the box that appears to the right (rather than displaying above the password field) and have it appear immediately to indicate with green check / red X when each password element is met or not. Similar to below. This way the requirements are clearer and shows the user as they're typing what's good or not, rather than displaying the message when the complexity is not met.

I've learned that this functionality is moving out of NoMAD into Keychain Minder. We desperately need this functionality either way, as this is easily the major pain-point we experience in our AD environment with Macs.

Here's the stand alone Keychain Minder:

https://gitlab.com/Mactroll/KeychainMinder

And a binary of the initial release: KeychainMinder-1.0_1_BETA.zip

Is there a rough timeline of when an official Keychain Minder release will be available?

I have the NoMAD config side of things ready as far as changing passwords go (that is until the File Shares functionality is released), so am just waiting for Keychain Minder to fix the *#$! Keychain lock problem XD. Really looking forward to having the same awesome customization that's currently available in NoMAD.

Is the thought to have Keychain Minder be 100% independent of NoMAD, or will there be some tie-in between the two?

Given that this won't be a part of NoMAD at all, should I close this issue? Or is there a way to migrate to the Keychain Minder project? Not sure what would be most helpful to you.