Elevating Modifying the Keychain

Authorizationdb Right: system.keychain.modify

This action can be used to elevate modifying the System keychain in Keychain Access while it is running. The right will be elevated for the duration that Keychain Access is running. Once the application is quit, the right will be restored to its default.

Advanced message actions such as Approval, Deny, Justification, or Warning should not be used in conjunction with this action.

Example Application: Keychain Access

1. Using the Policy Wizard, create a controlling policy, click Next Step.

2. Select Elevate, click Next Step.

3. Select Run Silently, click Next Step.

4. Select Executables, click Next Step.

5. Select Modify Authorization Database, click Next Step.

6. Select Existing Filter, search for and select the App Bundle filter for Keychain Access. If it doesn't exist, create it.

7. Click Update.

8. Click Next Step.

9. Name your policy, add a description.

10. From the Right Name drop-down, select Modify System Keychain Authorization Right (system.keychain.modify).

    

11. Click Create Policy.

12. Set the Inactive switch to Active.

13. Next to Deployment click the i icon and run the Resource and Collection Targeting Update task.

What to Expect on the Endpoint

• With a policy in place, with Keychain Access running and the policy is effective, the System keychain icon will appear to be locked:

  

  When you right-click the System keychain icon, the Unlock Keychain "System" menu item will appear:

  

  When you click on Unlock Keychain "System", the System keychain will be unlocked and you can add and delete items without being prompted for admin credentials:

  

• Without a policy in place, when Keychain Access is running and you try to unlock or modify the System keychain, it will present this dialog: