So here's what I've experienced:

On a Macintosh bound to an Active Directory server _and_ with an MDM profile 
that requires a passphrase that confirms to a particular recipe.

The user(s) had been in this enterprise for a long time; over time the security 
team had tightened the requirements for new passphrases but allowed existing 
passphrases to remain valid.

When the machines were updated to Sierra, the MDM profile requiring the new, 
stronger passphrases prevented the Keychain from being satisfied with the 
older, less secure passphrase. Might have been a bug with the MDM vendor, I 
don't know.

The solution I used was to have the users change their passphrase to conform to 
the new security recipe. After that the machines behaved normally without 
keychain prompts.

If your enterprise has an online form to change your directory passphrase, you 
might be able to test the theory by entering your existing passphrase in the 
"new passphrase" field and see if it's accepted (again, depending on the 
systems you have in place; a well designed system will give a failure message 
when you tab out of the field).

Or you can just change your directory password to something that satisfies 
current enterprise policies and see if that solves your issue.

The newer you are in your employment the less valid this theory, but that's 
none of my business.


> On Mar 30, 2018, at 11:04 AM, Dinse, Gregg (NIH/NIEHS) [C] 
> <> wrote:
> At the bottom of the Login Options panel, there is a line that I don't 
> remember seeing before.  It says "Network Account Server" with an entry for 
> NIH and a green dot, so I'm guessing that my machine is bound to a directory 
> server, as you suggested.
> Is this requirement to provide a password just the cost of doing business 
> this way?  I doubt that I am allowed to change this.
> Thanks,
> Gregg
> On 03/30/2018, 1:59 PM, "David Schwartz" <> wrote:
> Yes there is. 
> System Preferences->Users & Groups->Login Options. 
> If you don’t use the same login and password to log into other Enterprise 
> resources (servers, web apps, etc) then it’s probably not. 
>> On Mar 30, 2018, at 10:55 AM, Dinse, Gregg (NIH/NIEHS) [C] 
>> <> wrote:
>> It certainly could be, but I do not know how to check.  Is there a simple 
>> way to check this?
>> On 03/30/2018, 1:53 PM, "David Schwartz" <> wrote:
>> Is your machine bound to a directory server?
>>> On Mar 30, 2018, at 10:51 AM, Dinse, Gregg (NIH/NIEHS) [C] 
>>> <> wrote:
>>> Hi,
>>> I am running MacOSX 10.12.6 (Sierra) on a mid-2010 Mac Pro tower.  I 
>>> recently upgraded from 10.10 to 10.12 and my problem started about that 
>>> same time, though this is on my machine at work, so I don't know if this is 
>>> related to the OS upgrade or some other change that the IT folks may have 
>>> implemented.
>>> Now when I start up Safari, I often get a panel that pops up and says 
>>> "Safari wants to use the Local Items keychain" and requires me to enter a 
>>> password.  This never happened until recently.  It's not a big deal to 
>>> enter a password, but I'm curious about why this is now happening and I 
>>> would prefer to not have to enter a password (about half of the time I 
>>> start up Safari).  Does anyone know what is going on and how to fix this?
>>> Thanks,
>>> Gregg

MacOSX-talk mailing list

Reply via email to