Ahhh, thanks for pointing me in this direction Mike! WARNING - I.T. STREAM OF CONSCIOUSNESS TO FOLLOW)
Over the past few years I've developed a really quick and simple method to "De-Brewsterize" students computers once they leave our campus and I promise you it's not that tricky at all. Now, each deployment could vary however we all have at least the following:
1) Applications and files that the students get to keep. We get to ignore these.
2) Applications and files that the students DON'T get to keep
3) Accounts that need to be elevated (Standard or AD accounts that need to be moved to local adminsitrators)
4) Accounts that need to be removed (JAMF management accounts and or other administrative accounts)
5) The JAMF Binary that needs to be removed
6) The JSS record that needs to be purged.
Fortunately, through some really creative thinking and scripts borrowed and modified from the most intelligent folks here on JAMF Nation we've been successfully accomplishing what you're asking, in production quickly and efficiently. There is ONE and only ONE difference that needs to be mentioned. You are using AD mobile accounts that will need to be converted into standard accounts first. It sounds like you've got a solution for that? If not there are folks here on JAMF Nation that have written up scripts to accomplish that. We avoid AD accounts due to this and other complications.
So. Since I was going to write this up as a white paper for JAMF anyways I may as well vet the content here.
Just as some quick background Brewster Academy is an international Private Boarding school in Wolfeboro NH that has the distinction of being the first and longest continually operational 1:1 laptop school that we’ve ever found. Our program started it’s pilot in 1991 and had full implementation in 1993. In short, we’ve seen just about everything. For the past 4-5 years we’ve been BYOD with basic requirements (All OS X, with the ability to run the latest OS with minimum storage and RAM requirements).
All students image their own computers on the first day of orientation and are de-brewsterized at the end of each year unless they leave early. Each process takes about 4-6 min.
—————— THE PROCESS —————
1) Applications and files that the students get to keep. We get to ignore these.
- For example, we put a variety of software applications like Firefox, Google Chrome, flash, f.lux, etc.. that are either open source or otherwise free. We happily let the student keep these and hence they are ignored during “De-Brewsterization”
2) Applications and files that the students DON'T get to keep
- So things like, Microsoft Office, Sophos AV, Adobe CC apps, etc. (It’s a long list)
This can get a little tricky until you come to one conclusion. Fall in love with Composer! I create every software installer I can using composer, saving out as a .dmg which I index using Casper Admin. When you index your .dmg Casper gives you the ability to uninstall via policy in the same way that you would install any .dmg or .pkg as a policy. Since I’ve spent my time putting together composer packages I simply need a policy that “Un-installs” those apps. No big. Some things get a bit trickier. I’m thinking things like Adobe Photoshop and the like. The good news is that Adobe’s tools for packaging those installers also allow you to create uninstaller which I cache on students computers when any of the adobe CC apps are installed (Either via configuration or Self-Service policy). In my De-Brewsterization policy I ask it to run all cached packages since I only permanently cache uninstaller on students computers). There are a few others that have to be installed as .pkg’s and hence will not be available for indexed uninstallation via policy. For these I put together a cleaner script that not only removes anything like that, but also cleans up any left over directories or other small files my uninstaller didn’t get (I’m looking at you Adobe!)
3) Accounts that need to be elevated (Standard or AD accounts that need to be moved to local adminsitrators)
- I include a very simple script to elevate the students standard account to administrative privileges. I admit, since I use standard accounts and NOT AD, this is very very simple bash command in a before script
/usr/sbin/dseditgroup -o edit -a student -t user admin
You are going to have a very different circumstance given that you’re using AD accounts, but as I said, you may already have a solution and others exist here on the forums.
4-5) Accounts that need to be removed (JAMF management accounts and or other administrative accounts) along with the JAMF Binary
I include the following commands in my after script
killall "Self Service"
killall "SophosUIServer"
rm -r /Applications/Self Service.app
rm -r /Library/Preferences/com.apple.SoftwareUpdate.plist
/usr/sbin/jamf deleteAccount -username admin -deleteHomeDirectory
/usr/sbin/jamf -removeFramework
These should be pretty obvious. This stops the Sophos processes that aren’t automatically quit with the un-installer, quits Self-Service before moving it. This is critical as the students run this policy from Self-Service. Then it deletes our adminisitrative user.
5) The JSS record that needs to be purged.
Now, loaded into a .tmp director during this process is another script that I borrowed from the forums here. It logs into the JSS using an account I created specifically for they purpose. This allows the computer itself to contact the JSS and remove delete itself based on either UDID or HW address, whichever comes first.
#!/bin/csh
## It has to be a csh script
# getting UUID
set UUID=`ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s
", line[4]); }'`
# deleting computer from casper with UUID
curl -k -v -u Delete:PASSWORD https://JSS-URL:8443/JSSResource/computers/udid/$UUID -X DELETE
set CAM=`networksetup -getmacaddress en1 | cut -c18-35 |sed 's/:/./g'`
curl -k -v -u Delete:PASSWORD https://JSS-URL:8443/JSSResource/computers/macaddress/$CAM -X DELETE
set JAM=`networksetup -getmacaddress en0 | cut -c18-35 |sed 's/:/./g'`
curl -k -v -u Delete:PASSWORD https://JSS-URL:8443/JSSResource/computers/macaddress/$JAM -X DELETE
echo
ioreg -c "IOPlatformExpertDevice" | awk -F '"' '/IOPlatformSerialNumber/ {print $4}'
echo
exit 0
and then finally reboots the unit leaving it all nice and clean for the user. It’s now free of our policies and licensed software, with their applications and files all left intact. They even keep the same username and password. The process is extremely quick. Just a few minuets depending on optional software installed and whether or not the unit has an SSD.
Are there improvements I could make… sure. I’m, also always open to suggestions but I’d have to write the process up more formally as I’ve pretty much taken 5 minuets to dump this into the thread and haven’t checked anything for continuity. I sure hope this makes sense. Regardless, please ask questions and poke holes in anything I’ve mentioned. I’ll be formalizing this later when I have a few moments. Hell, I hope I don't have too many grammatical/spelling errors.
;-)
Boy I love working in education!
