For years we used a logouthook to remove Student homefolders on logout. after some issues in high sierra we created a combination of launchagents/deamons to accomplish this. But in Mojave we encounter the operation is not permitted when de script tries to delete the homefolder. this is caused by the new PPPC security.
How can i whitelist a script so it is able to completely remove the homefolder(s) on logout? i know you can do some tweaking with a pppc policy but really dont know how this works in our situation.
Solved
Removing user home folder on logout Mojave
+6Best answer by mediacollege
After trying several methods i concluded that non of the commands where reliable, the homefolder wasn't removed all the time so i came up with this script which tries to delete the homefolder and if this failes, it will retry several attempts. For us it seems to work, maybe not the most efficient solution but it seems to be more reliable.
#!/bin/sh /usr/local/bin/jamf deleteAccount -username studentsecond attempt
if [[ -e "/Users/Student" ]]; then sysadminctl -deleteUser student chflags -R nouchg /Users/student chmod -R 777 /Users/student rm -Rf /Users/student fithird attempt
if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf runScript -script removehomedir.sh -path /Library/Scripts/ fifourth attempt
if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf deleteAccount -username student fi /usr/local/bin/jamf createAccount -username "student" -realname "Student" -password "" -picture /Library/User Pictures/Fun/Ma.png exit
+15We have a similar procedure (we have a rolling delete that keeps the last X users just in case something goes awry). You need to delete the account first, then it will release the home directory. Following is the salient portion of my script (there are some variables defined elsewhere, but I think they are fairly obvious, let me know if not):
# delete user
/usr/bin/dscl . delete "${baseDirectory}${homeFolder}" > /dev/null 2>&1
# delete home directory
/usr/bin/chflags -Rf nouchg "${baseDirectory}${homeFolder}"
/bin/rm -Rf "${baseDirectory}${homeFolder}"
WriteLog "PurgeOldHomes" "${baseDirectory}"${homeFolder}" was deleted"Thanks for your reply. I came up with this logouthook script:
delete user
/usr/bin/dscl . delete /Users/student
delete home directory
/usr/bin/chflags -Rf nouchg /Users/student
/bin/rm -Rf /Users/student
create user
/usr/bin/dscl . create /Users/student
/usr/bin/dscl . create /Users/student shell /bin/bash
/usr/bin/dscl . create /Users/student RealName "student"
/usr/bin/dscl . create /Users/student UniqueID "1010"
/usr/bin/dscl . create /Users/student PrimaryGroupID 20
/usr/bin/dscl . create /Users/student NFSHomeDirectory /Users/student
/usr/bin/dscl . create /Users/student picture "/Library/User Pictures/Fun/Ma.png"
/usr/bin/dscl . passwd /Users/student ""
Still needs some testing but it seems to do the Job.
Thanks!
I think it's something like:
sysadminctl -deleteUser username
you can add -secure to securely delete the folder if you want to.
+6Yes i tried that but the homefolder is not deleted, it must be run as root. maybe it will work if i let a Launchdeamon launch the script but haven't tried that yet.
With dscl it seemed to work but it's not reliable. it doesn't always delete the folder so i need to find a way to make it reliable.
The Jamf binary is granted access by default for enrolled devices. You should be able to use it to remove the user and the home directory on logout.
/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory
+8I've been using a script on logout to remove any home directories other than the ones specified in the script. I just started testing it with Mojave and all seems to work. However I've found that it deletes the contents of the home folder first on logout and then will delete that folder after another restart or when another user logs in and logs out..
+6I tried using a launchdeamon to launch the script but it resulted in:
"it's either last admin user or last secure token user neither of which can be deleted"
However thanks to the suggestion of jcarr is was able to delete the useraccount.
+6This is what i came up with:
The logouthook:
touch /Users/Shared/studentloggedout
The Launchdeamon:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.ma.cleanuphomedirwatcher.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Scripts/cleanuphomedir.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
the script:
!/bin/sh
if [ -f /Users/Shared/studentloggedout ];
then
/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory
sysadminctl -addUser student -fullName "student" -password "" -picture /Library/User Pictures/Fun/Ma.png
pkill loginwindow
rm -f /Users/Shared/studentloggedout
else
exit 0
fi
exit
+6Above launchdeamon approach seemed to work fine but after restart the system hangs at startup. i geuss the script is not finished in time before the restart takes place.
Seems like the best option is to use the good old logouthook to run:
/usr/local/bin/jamf deleteAccount -username student -deleteHomeDirectory
sysadminctl -addUser student -fullName "student" -password "" -picture /Library/User Pictures/Fun/Ma.png
Is there a way to make Jamf just delete the homedirectory? it is not neccesary to delete the user, so the re-creation of the user can be skipped.
+7We are using a Script to delete the Home Directory on Logout. From 10.14 onwards the following PPPC Whitelist is necessary for it to work.
+6After trying several methods i concluded that non of the commands where reliable, the homefolder wasn't removed all the time so i came up with this script which tries to delete the homefolder and if this failes, it will retry several attempts. For us it seems to work, maybe not the most efficient solution but it seems to be more reliable.
#!/bin/sh /usr/local/bin/jamf deleteAccount -username studentsecond attempt
if [[ -e "/Users/Student" ]]; then sysadminctl -deleteUser student chflags -R nouchg /Users/student chmod -R 777 /Users/student rm -Rf /Users/student fithird attempt
if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf runScript -script removehomedir.sh -path /Library/Scripts/ fifourth attempt
if [[ -e "/Users/Student" ]]; then /usr/local/bin/jamf deleteAccount -username student fi /usr/local/bin/jamf createAccount -username "student" -realname "Student" -password "" -picture /Library/User Pictures/Fun/Ma.png exit
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.