Skip to main content

Hello Jamf Community,

I work with a University. In our department we run Mac labs that act as classrooms for a large variety of classes that are reserved daily. We are redesigning our Mac classroom "build" primarily with Jamf Pro. The biggest hurdle that we face is in determining a user account and maintenance method that meets the needs of our classrooms.

Needs we have:

  • Fast turn around times, 4 classrooms of 30 computers with a 15-minute gap between different classes -- and essentially 3-4 minutes per room to get every computer rebooted and ready for the next class

The previous team that designed our current system had disabled SIP in order to develop a user template that was copied over the existing user account that is used by students upon login with a login-hook. This happens upon restart (initiated by Apple Remote Desktop) and the user is auto-logged in. That worked fine for many years, but some systems have broken upon OS 12 Monterrey (the computers fail to complete 'optimization'). We are intent on moving away from disabling SIP.

 

There are a few special softwares that we need on the computers, and for the most part the settings that we need and the programs that we want installed are all simple enough to manage via the Jamf Pro MDM.

We are currently trying to figure out what the best method will be for managing a user account that will be used by multiple students in any given day (upwards of 8 per day per computer). For example:

  1. Should we create a policy, scoped to the "instructor computer" that runs a script to deletes the user account on computers in a given classroom, and then try to use a new login-hook/agent/daemon that checks for the account's existence and "re"creates it if it is not there? (essentially a different way of doing a user template copy-over)?
  2. Should we attempt to have a single user account, shared by anyone using the computer, that is heavily restricted that we maintain on a regular basis (once a week/month, etc.)? How to handle browser history and data for security with a single account?
  3. Is there an effective way of using a guest login for managing a multi-user computer that has a very fast turnover and maintains functionality?

At our institution, at least, our needs are pretty unique and it has been difficult to discern how others are managing similar systems. Any advice or thoughts from the community on this puzzle are appreciated!

We use jamf connect in our environment, so users sign in with OKTA credentials. I have a script that runs at login that deletes all users (not including management accounts ) apart from the one logging in and a SwiftNotify message telling the user that all user data is routinely deleted, so save things to Google Drive.

#!/bin/bash

######################### WARNING - THIS SCRIPT IS DESTRUCTIVE ##########################
# This script deletes all users not currently logged in or the Jamf Management account.#
# Written by mgrant1@arm.catholic.edu.au, for the use of the Catholic schools office, #
# Diocese of Armidale. 9/12/2022 #
#########################################################################################

#Discover the logged-in user, so we don't accidentally delete them
loggedInUser=$( ls -l /dev/console | awk '{print $3}')
#print logged in user
echo "$loggedInUser is currently logged in."

#Find Users, excluding selected Admin user ($4), and System and Service Accounts
users=$( dscl . ls /Users | grep -v '_' | grep -v 'root' | grep -v 'daemon'| grep -v 'nobody'| grep -v 'csomaclocal'| grep -v $loggedInUser )

echo "Removing User Accounts."

for a in $users; do
#delete user
/usr/bin/dscl . delete /Users/$a > /dev/null 2>&1
echo "$a's user account has been removed."
#Delete User Home Folder
/bin/rm -rf /Users/"$a"
echo "$a's user home folder has been removed."
continue
done

echo "User accounts Removed Successfully."
exit 0



We use jamf connect in our environment, so users sign in with OKTA credentials. I have a script that runs at login that deletes all users (not including management accounts ) apart from the one logging in and a SwiftNotify message telling the user that all user data is routinely deleted, so save things to Google Drive.

#!/bin/bash

######################### WARNING - THIS SCRIPT IS DESTRUCTIVE ##########################
# This script deletes all users not currently logged in or the Jamf Management account.#
# Written by mgrant1@arm.catholic.edu.au, for the use of the Catholic schools office, #
# Diocese of Armidale. 9/12/2022 #
#########################################################################################

#Discover the logged-in user, so we don't accidentally delete them
loggedInUser=$( ls -l /dev/console | awk '{print $3}')
#print logged in user
echo "$loggedInUser is currently logged in."

#Find Users, excluding selected Admin user ($4), and System and Service Accounts
users=$( dscl . ls /Users | grep -v '_' | grep -v 'root' | grep -v 'daemon'| grep -v 'nobody'| grep -v 'csomaclocal'| grep -v $loggedInUser )

echo "Removing User Accounts."

for a in $users; do
#delete user
/usr/bin/dscl . delete /Users/$a > /dev/null 2>&1
echo "$a's user account has been removed."
#Delete User Home Folder
/bin/rm -rf /Users/"$a"
echo "$a's user home folder has been removed."
continue
done

echo "User accounts Removed Successfully."
exit 0




Hi @mickgrant ,

Thanks for sharing your process! I've got a few questions:

  • Is this used in a classroom environment that is shared between multiple different classes, or is it more of an open lab environment where users with credentials can use the computers while they are available?
  • Where do the users receive these credentials? Are the provided through the institution?

We don't currently have access to Jamf Connect (we might soon). Right now we are attempting to discern a way to have a local user account already built when the user arrives, maybe for auto-login with a kcpassword, maybe built upon startup or login; the same account would be deleted upon restart ideally, which would allow a fresh experience each time. 

Your script seems to be efficient at removing previous users after they have logged in with Jamf Connect credentials, while preserving the current user.

Is this script called via a launchd agent/daemon?

Many thanks!

 

@mickgrant 

Alternatively, if we wanted to have a generic standard user account that either auto-logs or has a simple password that everyone logs into, could we simply and relatively securely use a script to simply delete the user data from the account?

And maybe have that script run from a launch agent / daemon?

For example:

 

#!/bin/bash

# create a new folde where the user's home folder contents will temporarily move
sudo mkdir /olduser

# move all contents of the user's home folder to the new folder that was just created
sudo mv /Users/<useraccount>/* /olduser

# remove the user's home folder
sudo rm -rf /Users/<useraccount>/

#recreate the user's home folder
sudo mkdir /Users/<useraccount>/

# set the correct permissions
sudo chown <useraccount>:staff /Users/<useraccount>/

# move the contents of the new folder to the user's home folder
sudo mv /olduser/* /Users/<useraccount>/

# remove the temporary folder that was created
sudo rm -rf /olduser

 

 

Hi,

We have about 4 different computer labs with 20 iMacs in each room.  Currently there are 9 different classes running between them. We have created local accounts for each students and assigned them an iMac which they will use for the duration of the course.  Students have been informed that all files must be saved to OneDrive which is mapped to their desktop. 

Once students leave the course, we remove their account  but keep their files on OneDrive for 3 months just in case any students need them.        

 

Hi,

We have about 4 different computer labs with 20 iMacs in each room.  Currently there are 9 different classes running between them. We have created local accounts for each students and assigned them an iMac which they will use for the duration of the course.  Students have been informed that all files must be saved to OneDrive which is mapped to their desktop. 

Once students leave the course, we remove their account  but keep their files on OneDrive for 3 months just in case any students need them.        

 


Awesome! Thanks for replying and for the details on your lab set up. That sounds like a great approach. The biggest barrier to an approach like this in our set up, and the difficulty we face, is that the students who use the computers may only use them once in the semester (there are nine different departments with upwards of 25 students in upwards of 20 sections per class. A given student may go into one classroom, use the computer once, and only use one other computer in one other classroom the entire semester. A thousand students might make their way though the classrooms. We have a turn around time from class to class of 15 minutes in total, but generally clear a single room and prep it for the next one in 3 minutes.

Awesome! Thanks for replying and for the details on your lab set up. That sounds like a great approach. The biggest barrier to an approach like this in our set up, and the difficulty we face, is that the students who use the computers may only use them once in the semester (there are nine different departments with upwards of 25 students in upwards of 20 sections per class. A given student may go into one classroom, use the computer once, and only use one other computer in one other classroom the entire semester. A thousand students might make their way though the classrooms. We have a turn around time from class to class of 15 minutes in total, but generally clear a single room and prep it for the next one in 3 minutes.


i understand and agree that this approach is not for you.  Using guest account could work but students will need to save to cloud storage before logging off but students can't be trusted to do that each time.  i would suggest exploring jamf connect and have a word with your jamf buddy. 

Reply


Terms & ConditionsCookie settings